CCNA Ckad Services Networking Questions

75 of 204 questions · Page 2/3 · Ckad Services Networking topic · Answers revealed

76
Multi-Selecteasy

Which TWO statements about Kubernetes Services are correct?

Select 2 answers
A.Headless services (clusterIP: None) are used for load balancing
B.NodePort services expose the service on a static port on each node's IP
C.LoadBalancer services always create an external load balancer even without a cloud provider
D.ExternalName services can be used to expose a service without selectors
E.A Service of type ClusterIP is only accessible from within the cluster
AnswersB, E

NodePort opens a specific port on all nodes.

Why this answer

Headless services (clusterIP: None) are used for StatefulSets and do not provide load balancing. NodePort services expose a port on every node's IP. ClusterIP is the default type.

LoadBalancer type requires external cloud provider support.

77
MCQmedium

A developer creates a Deployment with 3 replicas and a Service with `clusterIP: None`. What is the primary use case for this headless Service?

A.To assign a static IP address to the Service
B.To automatically create an Ingress resource
C.To expose the Service externally via a load balancer
D.To enable direct pod-to-pod communication without load balancing
AnswerD

Headless Services return the IPs of all pods, enabling direct communication.

Why this answer

A headless Service (clusterIP: None) is used for DNS-based service discovery, typically with StatefulSets to provide stable network identities for each pod.

78
MCQmedium

A developer wants to test a service locally using kubectl. Which command forwards local port 8080 to the service's port 80?

A.kubectl port-forward pod/myservice 8080:80
B.kubectl port-forward myservice 8080:80
C.kubectl port-forward service/myservice 8080:80
D.kubectl port-forward service/myservice 80:8080
AnswerC

Correct. Forwards local 8080 to service's 80.

Why this answer

The correct syntax is 'kubectl port-forward service/<service-name> 8080:80'. Option B uses 'svc' abbreviation, which is correct, but the order is local:remote. Option A is missing service/ prefix.

Option C is reversed ports. Option D uses pod instead of service.

79
MCQmedium

A developer creates a headless Service named 'db' to discover all database pod IPs. The Service selects pods with label 'app: db'. The pods are assigned IPs 10.0.0.1, 10.0.0.2, and 10.0.0.3. When a client performs a DNS lookup for 'db', what will it receive?

A.The IP of the first pod only
B.The cluster IP of the Service
C.All three pod IPs as separate A records
D.A round-robin list of pod IPs
AnswerC

DNS returns all pod IPs as A records for the headless Service.

Why this answer

A headless Service (clusterIP: None) does not have a cluster IP. Instead, DNS queries for the Service name return A records for all pods matching the selector. Since the Service selects pods with label 'app: db', the DNS lookup for 'db' returns the three pod IPs (10.0.0.1, 10.0.0.2, 10.0.0.3) as separate A records, allowing direct pod-to-pod communication.

Exam trap

The trap here is that candidates confuse headless Services with regular Services, assuming DNS returns a single cluster IP or a round-robin list, when in fact headless Services return all pod IPs as separate A records with no load balancing.

How to eliminate wrong answers

Option A is wrong because a headless Service does not return only the first pod's IP; it returns all matching pod IPs as separate A records. Option B is wrong because a headless Service has no cluster IP (clusterIP is set to None), so DNS does not return a cluster IP. Option D is wrong because DNS for a headless Service returns all pod IPs in an unordered list; the client's DNS resolver may rotate them, but the Service itself does not implement round-robin — that behavior depends on the client's DNS caching and resolution logic.

80
Multi-Selecteasy

Which TWO of the following are required for Ingress to route HTTP traffic to a backend Service?

Select 2 answers
A.Pod readiness probes
B.An Ingress controller deployed in the cluster
C.A Service of type LoadBalancer
D.A Service (any type) that matches the Ingress backend
E.A TLS certificate for HTTPS
AnswersB, D

Ingress controller is required to implement the rules.

Why this answer

An Ingress controller is required because the Ingress resource itself is just a set of routing rules; it does not process traffic. The Ingress controller, typically a pod running a reverse proxy like nginx or Envoy, watches the Ingress API and configures itself to route external HTTP/HTTPS traffic to the appropriate backend Services. Without a running Ingress controller, the Ingress resource has no effect.

Exam trap

CNCF often tests the misconception that an Ingress resource alone can route traffic without a controller, or that a LoadBalancer Service is mandatory for Ingress to work, when in fact the controller handles external exposure and any Service type suffices for the backend.

81
MCQmedium

You have a Service named 'myservice' in namespace 'default'. A pod in the same cluster but different namespace 'other' wants to resolve the service's IP. What DNS name should it use?

A.myservice.default.svc.cluster.local
B.default.myservice.svc.cluster.local
C.myservice.svc.cluster.local
D.myservice.other.svc.cluster.local
AnswerA

Correct for cross-namespace access.

Why this answer

Cross-namespace DNS uses the format <service>.<namespace>.svc.cluster.local.

82
Multi-Selecthard

Which THREE are valid ways to expose a Service externally in Kubernetes?

Select 3 answers
A.Headless service
B.Type: NodePort
C.Type: LoadBalancer
D.Ingress resource
E.Type: ClusterIP
AnswersB, C, D

Exposes on each node's IP.

Why this answer

NodePort, LoadBalancer, and Ingress are external exposure methods. ClusterIP is internal. Headless services are for internal stable identities.

83
Multi-Selectmedium

A DevOps engineer is setting up network policies in a Kubernetes cluster. The goal is to allow traffic from pods with label 'role=frontend' to pods with label 'role=backend' on TCP port 8080, and deny all other ingress to backend pods. Which two components are necessary to implement this? (Choose two.)

Select 2 answers
A.A NetworkPolicy with an ingress rule selecting pods with role=backend
B.A Service of type LoadBalancer to expose backend pods
C.A pod anti-affinity rule to ensure frontend pods are not scheduled on the same nodes as backend pods
D.An ingress rule that allows from pods with role=frontend on port 8080
E.A CNI plugin that supports NetworkPolicy enforcement, such as Calico
AnswersA, D

The NetworkPolicy defines the allowed ingress to backend pods.

Why this answer

Option A is correct because a NetworkPolicy with an ingress rule selecting pods with label 'role=backend' defines the target pods for the policy. This is the foundational component that scopes the policy to backend pods, allowing you to then specify which sources (frontend pods) and ports (TCP 8080) are permitted.

Exam trap

The trap here is that candidates often think a CNI plugin (like Calico) is one of the two components needed to 'implement' the policy, but the question asks for the components you configure (the NetworkPolicy and its ingress rule), not the underlying infrastructure that makes it work.

84
Multi-Selecthard

Which THREE components are required for a basic Ingress to route HTTP traffic to a Service? (Choose three.)

Select 3 answers
A.A Deployment of the application
B.A Service of type ClusterIP or NodePort
C.A NetworkPolicy allowing traffic from the Ingress controller
D.An Ingress resource YAML file
E.An Ingress controller (e.g., nginx-ingress)
AnswersB, D, E

The Ingress forwards traffic to a Service.

Why this answer

A Service of type ClusterIP or NodePort is required because the Ingress resource routes external HTTP traffic to a Service, which then forwards it to the Pods. ClusterIP is the default and most common type for internal cluster routing, while NodePort can also be used but is less typical. Without a Service, the Ingress has no endpoint to direct traffic to.

Exam trap

CNCF often tests the misconception that a Deployment is mandatory for Ingress to work, but the Ingress only requires a Service to route to, and the underlying Pods can be created by any workload resource (e.g., a ReplicaSet or even a standalone Pod).

85
MCQmedium

A Pod needs to communicate with another Pod in the same cluster but in a different namespace. What is the correct DNS name to use?

A.<namespace>.<service>.svc.cluster.local
B.<service>.<namespace>.pod.cluster.local
C.<service>.svc.cluster.local
D.<service>.<namespace>.svc.cluster.local
AnswerD

Standard format for cross-namespace DNS.

Why this answer

Option D is correct because Kubernetes DNS resolves services across namespaces using the format `<service>.<namespace>.svc.cluster.local`. When a Pod in one namespace needs to communicate with a service in another namespace, the fully qualified domain name (FQDN) must include the namespace to disambiguate the service. This is defined by the Kubernetes DNS specification, which appends `svc.cluster.local` as the cluster domain suffix.

Exam trap

The trap here is that candidates often forget the namespace is required for cross-namespace communication and pick Option C, which only works within the same namespace, or confuse the order of service and namespace as in Option A.

How to eliminate wrong answers

Option A is wrong because it reverses the order of service and namespace, which would not resolve to the correct service endpoint. Option B is wrong because it uses `.pod.cluster.local` instead of `.svc.cluster.local`; Pod DNS records use the format `<pod-ip>.<namespace>.pod.cluster.local`, not service names. Option C is wrong because it omits the namespace, which only works when the source and target are in the same namespace; cross-namespace communication requires the namespace qualifier.

86
MCQeasy

What is the DNS name for a Service named 'backend' in the 'default' namespace?

A.backend.default.cluster.local
B.backend.default.svc.cluster.local
C.backend.svc.cluster.local
D.backend.default.svc.cluster
AnswerB

Correct format: <service>.<namespace>.svc.cluster.local

Why this answer

The DNS name format for a Service is <service-name>.<namespace>.svc.cluster.local. Option A is correct. Option B is missing the namespace.

Option C is incorrect because the suffix is .svc.cluster.local, not .svc.cluster. Option D is incorrect because the namespace comes before 'svc'.

87
Matchingmedium

Match each YAML key in a Deployment manifest to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

API version of the resource (e.g., apps/v1)

Desired number of pod instances

Labels used to identify pods managed by the deployment

Labels assigned to pods created by the template

Container image to run

Why these pairings

These are critical fields in a Deployment YAML.

88
MCQmedium

You have deployed a microservices application in a Kubernetes cluster. One of the services, 'payment-service', needs to be accessed by other services within the cluster via a stable DNS name. You create a Service of type ClusterIP named 'payment' with selector app=payment. However, when you try to curl http://payment from another Pod, the connection times out. You verify that the Pods backing 'payment-service' are running and ready, and the Endpoints object lists the correct Pod IPs. You also confirm that the Pods are listening on port 8080, and the Service defines targetPort: 8080. The cluster uses a standard CNI plugin (Calico) and DNS is provided by CoreDNS. What is the most likely cause of the timeout?

A.The Service name 'payment' is not resolvable by DNS
B.The Pods are listening on 127.0.0.1 only, not on 0.0.0.0
C.The targetPort in the Service does not match the containerPort in the Pod spec
D.The Service type should be NodePort instead of ClusterIP
AnswerB

Pods listening on localhost are not reachable from other Pods via service IP.

Why this answer

The most likely cause is that the Pods are listening only on 127.0.0.1 (localhost), which means they only accept connections from within the same Pod. When the Service sends traffic to the Pod via its cluster IP, the connection arrives on the Pod's network interface (e.g., eth0), not on loopback. Since the application is not bound to 0.0.0.0, it rejects or ignores the incoming packets, causing a timeout.

This is a classic misconfiguration where the application's listen address is too restrictive.

Exam trap

The trap here is that candidates often assume DNS or port mismatches are the issue, but the timeout (not 'connection refused' or 'could not resolve') points to the application not accepting traffic on the correct network interface, which is a subtle but critical detail in Kubernetes networking.

How to eliminate wrong answers

Option A is wrong because the user can successfully curl from another Pod, and DNS resolution would fail immediately with a 'could not resolve host' error, not a timeout; the timeout indicates the connection reached the Pod but was not accepted. Option C is wrong because the user verified that the Endpoints object lists correct Pod IPs and the Service defines targetPort: 8080, which matches the containerPort; if they didn't match, the Endpoints would be empty or the connection would be refused on a different port. Option D is wrong because ClusterIP is the correct type for in-cluster access via a stable DNS name; NodePort is for external access and would not fix a connectivity issue caused by the application binding to localhost.

89
Multi-Selecthard

Which THREE of the following are true about Kubernetes Services? (Select 3)

Select 3 answers
A.The NodePort range is 30000-32767 by default.
B.A Service of type ClusterIP is cluster-internal by default.
C.Headless Services have a ClusterIP assigned.
D.A Service of type NodePort exposes the Service on a static port on each node.
E.Services can only expose one port.
AnswersA, B, D

Default NodePort range is 30000-32767.

Why this answer

ClusterIP is default, Services can have multiple ports, and NodePorts are allocated from a range (default 30000-32767).

90
Multi-Selectmedium

Which TWO of the following are correct about the ExternalName Service type?

Select 2 answers
A.It maps a Service to a DNS name, not to pods
B.It provides load balancing across pods
C.It selects pods using a label selector
D.It returns a CNAME record in DNS
E.It requires a cloud provider load balancer
AnswersA, D

Correct.

Why this answer

Option A is true: ExternalName maps to an external DNS name. Option D is true: It returns a CNAME record. Option B is false: It does not have selectors or pod endpoints.

Option C is false: It does not provide load balancing. Option E is false: It does not require a cloud provider.

91
MCQmedium

A StatefulSet named 'mysql' is deployed with 3 replicas. The administrator wants each pod to have a stable network identity. Which service configuration is required?

A.A headless service with clusterIP: None and selector matching the StatefulSet
B.A ClusterIP service named 'mysql'
C.A NodePort service named 'mysql'
D.An ExternalName service pointing to an external database
AnswerA

Headless services provide stable network identities.

Why this answer

StatefulSets require headless services (clusterIP: None) to provide stable DNS names for each pod (e.g., mysql-0.mysql.default.svc.cluster.local).

92
Multi-Selectmedium

Which TWO commands can be used to list the endpoints of a Service named 'my-svc'?

Select 3 answers
A.kubectl get networkpolicy
B.kubectl get pods -l app=my-svc
C.kubectl describe svc my-svc
D.kubectl get ep my-svc
E.kubectl get endpoints my-svc
AnswersC, D, E

Shows endpoints in the output.

Why this answer

Endpoints can be viewed via 'kubectl get endpoints my-svc' and 'kubectl describe svc my-svc' shows endpoint information.

93
MCQhard

A NetworkPolicy named 'default-deny-all' is applied to a namespace. It has no rules. Which statement is true?

A.All ingress and egress traffic is denied for pods matching the selector
B.Only ingress traffic is denied; egress is allowed by default
C.Only traffic from pods in the same namespace is allowed
D.Traffic is allowed because no rules are defined
AnswerA

Default deny all pattern.

Why this answer

Option D is correct. A NetworkPolicy with no rules (empty spec) effectively denies all ingress and egress traffic to pods selected by the policy (if podSelector is empty, it applies to all pods in the namespace). Option A is wrong because egress is also denied.

Option B is wrong because empty rules deny all. Option C is wrong because no traffic is allowed.

94
MCQhard

You are responsible for a multi-tier application running in a Kubernetes cluster. The frontend Pods communicate with backend Pods via a Service named 'backend' in the same namespace. Recently, the frontend team reported that the backend Service is intermittently unreachable. You inspect the backend Pods and notice that they are all running and ready, but the Endpoints object for the 'backend' Service shows only a subset of the Pod IPs. You also notice that the backend Pods have a readiness probe configured that checks an HTTP endpoint '/healthz'. The readiness probe has a periodSeconds of 5 and failureThreshold of 3. The application logs show occasional spikes in response time on the /healthz endpoint, sometimes exceeding 15 seconds. You need to resolve the intermittent unavailability without removing the readiness probe. Which action should you take?

A.Remove the readiness probe configuration from the backend Pods
B.Add a second readiness probe on a different endpoint to increase redundancy
C.Change the Service type from ClusterIP to NodePort to bypass endpoint issues
D.Increase the failureThreshold to 10 and periodSeconds to 10 to tolerate transient slowness
AnswerD

Higher threshold and period allow more tolerance for slow health checks, reducing flapping.

Why this answer

Option D is correct because increasing the failureThreshold to 10 and periodSeconds to 10 gives the readiness probe more time (100 seconds total) to tolerate transient slowness on the /healthz endpoint, preventing premature removal of Pod IPs from the Endpoints object. This keeps all backend Pods in the ready state during response time spikes, ensuring the Service remains reachable.

Exam trap

The trap here is that candidates might think removing the readiness probe (Option A) is a quick fix, but the CKAD exam emphasizes that readiness probes are essential for traffic routing and should be tuned, not removed, to handle transient issues.

How to eliminate wrong answers

Option A is wrong because removing the readiness probe would allow traffic to be sent to Pods that may be unresponsive, causing application errors and defeating the purpose of health checking. Option B is wrong because adding a second readiness probe on a different endpoint does not address the root cause of intermittent slowness on the existing /healthz endpoint; it could even cause more Pods to be marked unready if the new endpoint also experiences delays. Option C is wrong because changing the Service type to NodePort does not bypass endpoint issues; the Endpoints object is still used for routing, and NodePort only exposes the Service externally without fixing the readiness probe logic.

95
Multi-Selectmedium

Which THREE statements about Ingress are correct? (Choose three.)

Select 3 answers
A.Ingress can terminate TLS connections.
B.Ingress can route traffic based on host header.
C.Ingress can route traffic based on source IP.
D.Ingress can route traffic based on URL path.
E.Ingress can route traffic based on destination port.
AnswersA, B, D

TLS termination is a common use case.

Why this answer

Ingress can do path-based routing and host-based routing. It supports TLS termination. It requires an Ingress controller.

It does not support port-based routing directly; you use path or host.

96
MCQmedium

A Pod needs to access an external database at db.example.com:3306. Which Service type allows Pods to resolve a cluster-local name to this external address?

A.ExternalName
B.LoadBalancer
C.NodePort
D.ClusterIP
AnswerA

ExternalName returns CNAME to external DNS name.

Why this answer

The ExternalName Service type maps a cluster-local DNS name (e.g., `my-db.default.svc.cluster.local`) to an external DNS name (`db.example.com`) using a CNAME record. This allows Pods to resolve the service name to the external database address without needing to modify application code or use an external endpoint.

Exam trap

The trap here is that candidates often confuse ExternalName with ClusterIP, thinking any Service can resolve external names, but only ExternalName provides a CNAME-based DNS alias without proxying traffic.

How to eliminate wrong answers

Option B (LoadBalancer) is wrong because it exposes the Service externally via a cloud provider's load balancer, which is used for external traffic ingress, not for resolving a cluster-local name to an external address. Option C (NodePort) is wrong because it exposes the Service on a static port on each Node's IP, intended for external access, not for DNS-based resolution to an external hostname. Option D (ClusterIP) is wrong because it provides a virtual IP within the cluster for Pod-to-Pod communication, but it cannot resolve to an external DNS name; it only routes traffic to internal endpoints.

97
MCQeasy

Which Service type is used to expose a Service on a static port on each node's IP address, allowing external traffic to reach the Service?

A.ClusterIP
B.ExternalName
C.NodePort
D.LoadBalancer
AnswerC

NodePort opens a port on every node for external access.

Why this answer

NodePort exposes the Service on a port on each node's IP address, accessible from outside the cluster.

98
Multi-Selectmedium

Which TWO of the following are valid methods to create a Service in Kubernetes? (Select 2)

Select 3 answers
A.kubectl apply -f service.yaml
B.kubectl expose deployment my-deploy --port=80
C.kubectl port-forward svc/my-svc 8080:80
D.kubectl run my-svc --image=nginx --port=80
E.kubectl create service clusterip my-svc --tcp=80:80
AnswersA, B, E

Applying a YAML manifest creates the Service.

Why this answer

Both `kubectl expose` and creating a YAML manifest are valid methods.

99
MCQmedium

An Ingress resource is configured with TLS. Which field in the Ingress YAML specifies the secret containing the TLS certificate and key?

A.spec.tls[].secretName
B.metadata.annotations['tls-secret']
C.spec.tls[].secret
D.spec.secretName
AnswerA

Correct: secretName specifies the TLS secret.

Why this answer

Option A is correct. The TLS configuration in an Ingress includes a 'secretName' field in the 'tls' array that references a secret in the same namespace.

100
MCQmedium

You have a Deployment with pods labeled 'tier: frontend'. You create a Service with selector 'tier: frontend'. However, the Service has no endpoints. What is the MOST likely cause?

A.The pod labels do not match the service selector
B.The service has multiple ports defined
C.The service port does not match the container port
D.The service and pods are in different namespaces
AnswerA

You need an exact match for the service to select pods.

Why this answer

Option C is correct. If a service selector does not match any pod labels, the service will have no endpoints. Option A (wrong port) would still show endpoints if pods match.

Option B (multiple ports) is not a problem. Option D (namespace) would be an issue if different, but the question implies same namespace.

101
MCQhard

An administrator applies the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress After applying this policy, which traffic flows are affected?

A.Only inbound traffic to pods is denied
B.Only outbound traffic from pods is denied
C.Both inbound and outbound traffic for all pods in the namespace is denied
D.Traffic to and from the kube-system namespace is also denied
AnswerC

The policy selects all pods and denies ingress and egress; any traffic not explicitly allowed by other policies is denied.

Why this answer

This policy selects all pods (empty podSelector) and denies all ingress and egress traffic by default because no rules are specified. It does not affect traffic that is not covered by policyTypes, but since both are selected, all inbound and outbound traffic is denied for all pods in the namespace.

102
MCQmedium

An Ingress resource has the following spec: spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 What will the Ingress controller do for a request to http://example.com/api/v1/users?

A.Route the request to api-service on port 80.
B.Route the request to the default backend.
C.Return a 502 Bad Gateway error.
D.Return 404 Not Found because the path does not match exactly.
AnswerA

Prefix match succeeds.

Why this answer

Prefix matching matches any path starting with /api, so /api/v1/users matches.

103
Multi-Selecthard

Which THREE statements about NetworkPolicy are correct?

Select 3 answers
A.A single NetworkPolicy can contain both ingress and egress rules
B.A NetworkPolicy can use ipBlock in the from or to field to allow traffic to/from specific IP ranges
C.NetworkPolicy is a cluster-scoped resource
D.NetworkPolicy can only be applied to pods with a specific annotation
E.By default, if no NetworkPolicy selects a pod, all traffic to/from that pod is allowed
AnswersA, B, E

Yes, using policyTypes to specify which rules apply.

Why this answer

NetworkPolicy is namespace-scoped. Default is to allow all traffic if no policy selects the pod. An egress rule can restrict outbound traffic to specific IPs (ipBlock).

104
Multi-Selectmedium

Which TWO of the following are valid ways to expose a service externally on a Kubernetes cluster? (Select 2)

Select 2 answers
A.NodePort
B.kubectl port-forward
C.ExternalName
D.LoadBalancer
E.ClusterIP
AnswersA, D

NodePort exposes the service on a static port on each node, accessible externally.

Why this answer

NodePort and LoadBalancer are both methods to expose services externally. ClusterIP is internal only. ExternalName maps to an external DNS name.

Port-forward is for development only.

105
MCQhard

A Service named 'api' has no endpoints. 'kubectl describe svc api' shows the selector 'app: api', but no pods have that label. What is the most likely reason for missing endpoints?

A.The Service is in a different namespace than the pods
B.No pods match the Service's selector
C.The Service port is incorrect
D.The Service type is ExternalName
AnswerB

The selector 'app: api' does not match any pods, so no endpoints.

Why this answer

Endpoints are created by the Service based on the selector. If no pods match the selector, the endpoints list will be empty. The solution is to check the pod labels.

106
MCQeasy

What is the DNS name for a Service named `svc` in namespace `ns`?

A.svc.cluster.local
B.svc.ns.svc.cluster.local
C.svc.svc.cluster.local
D.ns.svc.cluster.local
AnswerB

Correct format.

Why this answer

The standard DNS name for a Service is <service>.<namespace>.svc.cluster.local.

107
MCQmedium

A company runs a web application in a Kubernetes cluster. The application consists of a frontend service and a backend service. The frontend needs to communicate with the backend using a DNS name that does not change even if the backend pods are recreated. Which Kubernetes resource should the frontend use to reach the backend?

A.An EndpointSlice
B.A regular ClusterIP Service
C.An Ingress resource
D.A headless Service
AnswerB

A ClusterIP Service provides a stable virtual IP and DNS name that load balances to pods.

Why this answer

A regular ClusterIP Service provides a stable virtual IP and DNS name (e.g., <service-name>.<namespace>.svc.cluster.local) that remains constant regardless of pod churn. The frontend can use this DNS name to reach the backend, and the service load-balances traffic to the current set of backend pods via its label selector. This meets the requirement of a fixed DNS name that survives pod recreation.

Exam trap

The trap here is that candidates often confuse a headless Service with a regular ClusterIP Service, thinking that because headless Services also provide DNS, they are suitable for stable communication, but they fail to realize that headless Services return a dynamic list of pod IPs rather than a fixed virtual IP, which violates the requirement for an unchanging DNS name.

How to eliminate wrong answers

Option A is wrong because an EndpointSlice is a lower-level resource that tracks the IP addresses of pods matching a Service’s selector; it does not provide a stable DNS name or virtual IP for frontend-to-backend communication. Option C is wrong because an Ingress resource handles external HTTP/HTTPS traffic routing into the cluster, not internal service-to-service DNS-based communication. Option D is wrong because a headless Service (clusterIP: None) does not provide a single stable virtual IP or a round-robin DNS name; it returns the IPs of all matching pods directly, which can change as pods are recreated, breaking the requirement for a fixed DNS name.

108
MCQmedium

You create a Service named 'backend' in namespace 'prod'. A pod in namespace 'dev' tries to reach the service using the DNS name 'backend.prod.svc.cluster.local'. The pod cannot resolve the name. What is the most likely cause?

A.CoreDNS is configured to reject cross-namespace queries
B.The 'prod' namespace does not exist
C.The pod is using the short name 'backend' without the namespace suffix
D.The cluster DNS service is not running
AnswerC

Pods can only resolve short service names within the same namespace. To resolve a service in another namespace, the FQDN must be used.

Why this answer

By default, Kubernetes DNS resolves names within the same namespace. To resolve across namespaces, the fully qualified domain name (FQDN) must be used. Option B is correct.

Option A is incorrect because cluster DNS is enabled by default. Option C is incorrect because CoreDNS can resolve cross-namespace requests if the FQDN is used. Option D is incorrect because namespace deletion would remove the service entirely.

109
Multi-Selectmedium

Which THREE items are required for Ingress to work correctly in a Kubernetes cluster?

Select 3 answers
A.At least one rule specifying either host or path
B.An Ingress controller running in the cluster
C.A TLS secret for HTTPS termination
D.A LoadBalancer service for the backend
E.A default backend service
AnswersA, B, C

Rules define how to route traffic.

Why this answer

An Ingress resource needs an Ingress controller to process it. Rules define routing. TLS configuration enables HTTPS.

IngressClass is optional but recommended. Backend service must be of type ClusterIP.

110
Drag & Dropmedium

Arrange the steps to create a multi-container Pod with a shared volume.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Define Pod with containers, add shared emptyDir volume, mount in each container, apply, then test.

111
MCQeasy

A developer wants to access a specific pod's port 8080 from their local machine using a temporary connection. Which command should they use?

A.kubectl exec -it pod-name -- sh
B.kubectl port-forward pod/pod-name 8080:8080
C.kubectl proxy
D.kubectl expose pod pod-name --port=8080
AnswerB

This command forwards local port 8080 to pod's port 8080.

Why this answer

kubectl port-forward creates a tunnel from a local port to a pod's port.

112
MCQmedium

A NetworkPolicy with the following spec is applied: spec: podSelector: {} policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: role: frontend What does this policy do?

A.Allows all outgoing traffic from pods labeled 'role: frontend'
B.Blocks all incoming traffic to pods labeled 'role: frontend'
C.Allows incoming traffic from pods labeled 'role: frontend' to all pods
D.Has no effect because policyTypes is missing Egress
AnswerC

The policy selects all pods and allows ingress from matching pods.

Why this answer

An empty podSelector {} selects all pods in the namespace. Since policyTypes includes Ingress only, and the ingress rule allows traffic from pods with label 'role: frontend', all other inbound traffic is denied by default because NetworkPolicy isolates pods when it selects them.

113
Multi-Selectmedium

Which TWO statements about Ingress are correct?

Select 2 answers
A.An Ingress resource without an IngressClass will not work
B.Only one Ingress resource can exist per namespace
C.Ingress can handle non-HTTP protocols like TCP
D.Ingress can route traffic based on the requested hostname
E.TLS termination can be configured in the Ingress spec
AnswersD, E

Host-based routing is a common feature.

Why this answer

Ingress can route based on host and path, and can terminate TLS. Ingress does not support TCP/UDP directly; it's for HTTP/HTTPS. IngressClass is used to select the Ingress controller.

Multiple Ingress resources can coexist.

114
MCQeasy

A user creates a Deployment with 3 replicas and a Service of type ClusterIP. The Service selects pods with label 'app: web'. The user wants external clients to access the application via a stable IP address. Which additional resource is required?

A.A second Service of type NodePort
B.A NetworkPolicy
C.An Ingress resource
D.A ConfigMap
AnswerC

An Ingress provides external HTTP/HTTPS access and can be configured with a stable IP.

Why this answer

A ClusterIP Service is only reachable within the cluster. To expose a Deployment to external clients via a stable IP, an Ingress resource is required because it provides HTTP/HTTPS routing from outside the cluster to the Service, typically using a load balancer or a reverse proxy like NGINX. Ingress also offers a stable external IP (or hostname) and can manage TLS termination, making it the correct choice for external access with a stable endpoint.

Exam trap

CNCF often tests the misconception that a ClusterIP Service alone can be accessed externally, or that a NodePort Service provides a stable IP, when in fact NodePort exposes on ephemeral node IPs and ports, while Ingress provides a stable external endpoint with path-based routing.

How to eliminate wrong answers

Option A is wrong because creating a second NodePort Service would expose the application on a high port on each node, but it does not provide a stable IP address; the node IPs may change, and clients would need to know the specific node and port. Option B is wrong because a NetworkPolicy controls ingress/egress traffic between pods within the cluster, not external access; it cannot expose the application to external clients. Option D is wrong because a ConfigMap is used to store configuration data (e.g., environment variables) for pods, not to expose services externally.

115
MCQhard

You have a NetworkPolicy that allows ingress from pods with label 'app: frontend' in any namespace, and also allows ingress from the IP range '10.0.0.0/8'. The policy is not working as expected. Which YAML snippet correctly implements both requirements?

A.ingress: - from: - namespaceSelector: {} podSelector: matchLabels: app: frontend - from: - ipBlock: cidr: 10.0.0.0/8
B.ingress: - from: - namespaceSelector: {} - podSelector: matchLabels: app: frontend - ipBlock: cidr: 10.0.0.0/8
C.ingress: - from: - podSelector: matchLabels: app: frontend - ipBlock: cidr: 10.0.0.0/8
D.ingress: - from: - namespaceSelector: {} podSelector: matchLabels: app: frontend - ipBlock: cidr: 10.0.0.0/8
AnswerA

This correctly separates the two rules: one for pods with label app: frontend in any namespace, and one for the IP range.

Why this answer

To allow ingress from pods with a specific label in any namespace, you use namespaceSelector: {} and podSelector with matchLabels. For IP range, you use ipBlock. Both rules should be in the ingress array.

Option B is correct. Option A uses namespaceSelector with podSelector but the namespaceSelector {} is missing. Option C uses ipBlock incorrectly.

Option D uses only from with both, but the structure is wrong.

116
MCQmedium

A NetworkPolicy named 'deny-all' is applied in a namespace. Which YAML snippet correctly implements a default-deny-all ingress policy?

A.spec: podSelector: {} policyTypes: - Ingress
B.spec: podSelector: {} ingress: - from: []
C.spec: podSelector: matchLabels: {} ingress: - from: []
D.spec: podSelector: matchLabels: {} policyTypes: - Ingress
AnswerA

Empty podSelector targets all pods; no ingress rules means deny all ingress.

Why this answer

Option A is correct. A default-deny ingress policy has an empty podSelector (meaning all pods) and no ingress rules, blocking all incoming traffic.

117
MCQhard

An Ingress resource specifies TLS termination using a secret. The secret must contain which keys?

A.username and password
B.cert.pem and key.pem
C.ca.crt and tls.crt
D.tls.crt and tls.key
AnswerD

Standard keys for TLS certificate and private key.

Why this answer

Option C is correct. TLS secrets in Kubernetes must contain 'tls.crt' and 'tls.key' data keys. Option A is for a different purpose.

Option B is for authentication. Option D is for custom.

118
MCQhard

A DevOps engineer notices that traffic to a Service named 'api' is not being forwarded to newly created pods. The Service selects pods with label 'app: api'. The pods are running and have the correct label. However, the Service's endpoints list does not include the new pods. What is the most likely cause?

A.The pods are in a different namespace
B.The Service's targetPort does not match the container's port
C.The Service type is NodePort instead of ClusterIP
D.The pods have a different label than 'app: api'
AnswerB

If targetPort does not match, endpoints are not created.

Why this answer

Option B is correct because the Service's `targetPort` must match the `containerPort` defined in the pod's container spec. If they differ, the Service will not route traffic to the pod, and the pod will not appear in the Endpoints object, even if the label selector matches. Kubernetes validates the endpoint population by checking that the pod's readiness probe passes and that the target port is reachable on the pod's IP.

Exam trap

CNCF often tests the subtle distinction between the Service's `port` (exposed by the Service) and `targetPort` (the container's listening port), where candidates assume the `port` field is used for pod selection, leading them to overlook the `targetPort` mismatch.

How to eliminate wrong answers

Option A is wrong because Services and pods in different namespaces cannot be selected by the Service's label selector; the Service would have no endpoints at all, not just missing new pods. Option C is wrong because changing the Service type to NodePort does not affect endpoint population; NodePort still uses the same selector and targetPort logic. Option D is wrong because the question explicitly states the pods have the correct label 'app: api', so a label mismatch is not the issue.

119
MCQeasy

What is the default service type in Kubernetes?

A.NodePort
B.ExternalName
C.ClusterIP
D.LoadBalancer
AnswerC

ClusterIP is the default service type.

Why this answer

If you create a Service without specifying type, it defaults to ClusterIP, which makes the service accessible only within the cluster.

120
MCQhard

You apply the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress After applying, pods in the namespace cannot reach the kube-dns service. What is the most likely reason?

A.The policy does not have a namespaceSelector
B.The policy blocks all egress traffic, including DNS
C.The policy blocks all ingress traffic only
D.The kube-dns service is not running
AnswerB

Empty egress rules allow no egress traffic, so DNS (UDP 53) is blocked.

Why this answer

This policy selects all pods and has empty ingress and egress rules, which default to denying all traffic. Egress to DNS is blocked.

121
Multi-Selecthard

Which THREE components are typically involved when using Ingress to expose a service?

Select 3 answers
A.Ingress resource
B.External load balancer
C.Ingress controller
D.NetworkPolicy
E.Service
AnswersA, C, E

Defines routing rules.

Why this answer

A, B, D are correct. Ingress resource defines rules, Ingress controller implements them, and Service routes to pods. C is not required; E is optional but not typically involved.

122
MCQmedium

You are tasked with creating a NetworkPolicy that denies all ingress traffic to pods in the 'db' namespace by default. Which YAML snippet correctly implements this?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: db spec: podSelector: {} policyTypes: - Ingress ingress: []
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: db spec: podSelector: {} policyTypes: - Ingress
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: db spec: podSelector: {} ingress: - {}
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: db spec: podSelector: {} policyTypes: - Egress
AnswerB

This selects all pods in the namespace and specifies only Ingress in policyTypes with no rules, thus denying all ingress traffic.

Why this answer

The default deny all ingress policy selects all pods (podSelector: {}) and has no ingress rules. Option A is correct. Option B allows ingress with {} rule.

Option C selects nothing. Option D is egress-only.

123
MCQhard

An Ingress resource is configured with TLS termination. The secret referenced in the Ingress is present, but the Ingress controller returns 404. What is the most likely cause?

A.The IngressClass annotation is missing
B.The Ingress controller is not installed
C.The backend Service does not have any endpoints
D.The TLS certificate is expired
AnswerC

If the Service's selector does not match any pods, the Ingress controller will return 404.

Why this answer

If the Ingress controller returns 404, often the backend Service or its endpoints are not correctly configured or the Service does not have matching selectors.

124
MCQhard

You have an Ingress resource with TLS configured. The certificate is stored in a Secret named 'my-tls'. Which field in the Ingress YAML specifies the Secret name?

A..spec.tls[0].secretName
B..spec.tls[0].secret
C..metadata.annotations['cert-manager.io/cluster-issuer']
D..spec.tlsSecretName
AnswerA

This is the correct location to reference the Secret.

Why this answer

In the Ingress spec, under tls, the secretName field specifies the Secret containing the TLS certificate and key.

125
MCQmedium

You have an Ingress resource that routes traffic to two services: 'app1' and 'app2'. The requirement is that traffic for 'app.example.com' goes to app1, and traffic for any other host goes to app2. Which Ingress specification correctly achieves this?

A.spec: rules: - host: "*" http: paths: - path: / pathType: Prefix backend: service: name: app2 port: number: 80 - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80
B.spec: defaultBackend: service: name: app2 port: number: 80 rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80
C.spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app2 port: number: 80 - http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80
D.spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80 - http: paths: - path: / pathType: Prefix backend: service: name: app2 port: number: 80
AnswerD

First rule matches host app.example.com and routes to app1. Second rule has no host, so it matches any other host and routes to app2.

Why this answer

To route based on host, you use the 'host' field under rules. For default backend (no host match), you specify a default backend at the spec level. The correct YAML has two rules: one with host and one without (or a default backend).

126
MCQmedium

You have a Service named 'my-svc' in the 'prod' namespace. What is the fully qualified DNS name for this Service?

A.my-svc.prod.svc.cluster.local
B.my-svc.svc.cluster.local
C.prod.my-svc.svc.cluster.local
D.my-svc.prod.cluster.local
AnswerA

Correct DNS name.

Why this answer

The form is <service>.<namespace>.svc.cluster.local.

127
MCQmedium

A pod is unable to resolve the DNS name of a Service in the same namespace. The pod's /etc/resolv.conf shows 'nameserver 10.96.0.10'. What is the most likely cause?

A.The kube-dns Service is not running
B.The pod is using dnsPolicy: Default
C.The Service is of type ExternalName
D.The pod's /etc/hosts file is misconfigured
AnswerA

If kube-dns is not running, DNS resolution fails.

Why this answer

The DNS server IP 10.96.0.10 is the default ClusterIP of the kube-dns Service. If the pod can't resolve a Service in the same namespace, it's likely that the DNS service is not running or the pod's DNS policy is incorrect. However, the most common issue is that the kube-dns Service is not reachable due to network policy or the kube-dns pods are not running.

128
Multi-Selectmedium

Which TWO of the following are valid Ingress pathTypes in Kubernetes networking.k8s.io/v1?

Select 2 answers
A.Prefix
B.Exact
C.Wildcard
D.Suffix
E.ImplementationSpecific
AnswersA, B

Valid pathType.

Why this answer

Options B and C are correct. The valid pathTypes are 'Prefix' (matches based on URL path prefix) and 'Exact' (matches exact URL path). Option A is misspelled.

Option D is not valid. Option E is not valid.

129
Multi-Selecthard

Which TWO of the following are correct statements about DNS in Kubernetes?

Select 2 answers
A.Pod DNS records are created by default with format pod-ip.namespace.pod.cluster.local
B.DNS resolution works only for ClusterIP services
C.A service's DNS name includes the namespace: service.namespace.svc.cluster.local
D.Headless services return a single A record for the service IP
E.A service's fully qualified domain name is service.namespace.cluster.local
AnswersA, C

Yes, Kubernetes DNS creates pod records.

Why this answer

Options B and D are correct. Service DNS format is 'service.namespace.svc.cluster.local' (B). Pod DNS by default is 'pod-ip-address.namespace.pod.cluster.local' (D).

Option A is missing 'svc'. Option C is wrong because headless services return multiple A records. Option E is wrong because service DNS is not limited to ClusterIP type.

130
MCQeasy

Which Service type is used to expose a Service on a static port on each node in the cluster?

A.ClusterIP
B.ExternalName
C.NodePort
D.LoadBalancer
AnswerC

NodePort exposes a port on each node.

Why this answer

NodePort exposes the Service on a static port on each node's IP address.

131
MCQmedium

You want to expose a Deployment 'app' externally on port 30080 on each node. What service type should you use?

A.LoadBalancer
B.ExternalName
C.NodePort
D.ClusterIP
AnswerC

NodePort exposes on a port on each node.

Why this answer

NodePort exposes a service on a static port on each node's IP, allowing external access via NodeIP:NodePort. Port 30080 is a valid NodePort range (30000-32767).

132
MCQmedium

What is the purpose of the `IngressClass` resource in Kubernetes?

A.To enable path-based routing.
B.To define the TLS certificate for an Ingress.
C.To specify which Ingress controller should implement the Ingress.
D.To set the default backend for an Ingress.
AnswerC

IngressClass selects the controller.

Why this answer

IngressClass allows selecting a specific Ingress controller implementation to handle the Ingress resource.

133
MCQmedium

A headless service is created with 'clusterIP: None'. What is the primary use case for such a service?

A.To allow direct pod-to-pod DNS resolution for StatefulSets.
B.To provide a stable IP address for the service.
C.To expose the service externally without a load balancer.
D.To enable DNS round-robin across all pods.
AnswerA

Correct. StatefulSets use headless services for stable network identities.

Why this answer

Headless services are used for StatefulSets to allow pod-to-pod DNS resolution. They also enable custom load balancing or when you don't need a single IP.

134
MCQeasy

Which Service type exposes a Service externally via each Node's IP on a static port?

A.NodePort
B.ClusterIP
C.LoadBalancer
D.ExternalName
AnswerA

NodePort opens a port on every node that forwards to the service.

Why this answer

NodePort exposes the service on each node's IP at a static port (30000-32767).

135
MCQmedium

You create a Service with the following manifest. What is the effect? service.yaml: apiVersion: v1 kind: Service metadata: name: ext-svc spec: type: ExternalName externalName: db.example.com

A.The service is a CNAME alias for db.example.com
B.The service gets a ClusterIP and forwards to db.example.com
C.The service creates a load balancer pointing to db.example.com
D.The service selects pods with label app: ext
AnswerA

ExternalName maps the service DNS name to the external DNS name.

Why this answer

ExternalName services return a CNAME record for the external name, not a ClusterIP.

136
MCQhard

You create a headless service with 'clusterIP: None' for a StatefulSet. How does a client discover the individual pod IPs?

A.DNS returns multiple A records for the service name, each pointing to a pod IP
B.The service returns the pod's hostname from the StatefulSet
C.An Ingress controller must be configured to expose each pod
D.The service provides a virtual IP that load balances among pods
AnswerA

Headless services allow DNS to return multiple A records for pod IPs.

Why this answer

Option A is correct. For a headless service, DNS returns A/AAAA records for all pods that match the selector. Clients can then connect directly to any pod IP.

Option B describes a regular ClusterIP service. Option C is about Ingress. Option D is about ExternalName.

137
Multi-Selecthard

Which THREE of the following are true about NetworkPolicy? (Select 3)

Select 3 answers
A.Multiple NetworkPolicies are additive
B.NetworkPolicy can select pods in other namespaces using namespaceSelector
C.NetworkPolicy can control traffic to Services
D.If no NetworkPolicy selects a pod, then that pod is allowed all traffic
E.NetworkPolicy is a cluster-scoped resource
AnswersA, B, D

If multiple policies select a pod, the union of their rules applies.

Why this answer

NetworkPolicy applies to pods selected by podSelector; multiple policies are additive; it is namespace-scoped; it can select pods in other namespaces via namespaceSelector.

138
Multi-Selectmedium

Which TWO of the following are valid ways to expose a Deployment named 'web' as a Service?

Select 2 answers
A.kubectl expose deployment web --port=80
B.kubectl port-forward deployment/web 8080:80
C.Apply a Service YAML with selector matching the deployment's pod labels
D.kubectl run web --image=nginx --port=80
E.kubectl create service clusterip web --tcp=80:80
AnswersA, C

Correct. This creates a Service exposing the deployment.

Why this answer

Option A is valid: 'kubectl expose deployment web --port=80' creates a ClusterIP Service. Option D is valid: apply a Service YAML that selects the pods. Option B is invalid because 'kubectl run' creates a pod, not a service.

Option C is invalid because 'kubectl create service' requires --tcp flag for port, but the command is incomplete. Option E is invalid because 'kubectl port-forward' does not create a Service.

139
MCQhard

You have a Service named 'app-service' in namespace 'default'. You want a pod in namespace 'monitoring' to resolve the service DNS name. What is the correct fully qualified domain name (FQDN)?

A.app-service.default.cluster.local
B.app-service.svc.default.cluster.local
C.app-service.cluster.local.default.svc
D.app-service.default.svc.cluster.local
AnswerD

Correct format: <service>.<namespace>.svc.cluster.local.

Why this answer

Option A is correct. The standard DNS format for a Service is '<service>.<namespace>.svc.cluster.local'.

140
Multi-Selecteasy

Which TWO Service types allow external access to pods from outside the Kubernetes cluster? (Select 2)

Select 2 answers
A.Headless
B.NodePort
C.ClusterIP
D.ExternalName
E.LoadBalancer
AnswersB, E

NodePort exposes on each node's IP at a static port.

Why this answer

Options C and D are correct. NodePort and LoadBalancer Services expose the Service on node IPs or via a cloud load balancer, making them accessible externally.

141
MCQhard

An Ingress resource uses the annotation 'kubernetes.io/ingress.class: nginx'. However, traffic is not being routed. The cluster has multiple ingress controllers. What is the most likely cause?

A.The ingress controller is not installed.
B.The annotation is deprecated; use spec.ingressClassName instead.
C.The service backend doesn't exist.
D.TLS certificate is invalid.
AnswerB

Correct. In newer versions, the annotation is ignored and 'spec.ingressClassName' should be set.

Why this answer

The annotation is deprecated in v1.18+; the new method is to use 'spec.ingressClassName' field. Also, if multiple controllers exist, the ingress class must match one of them.

142
MCQhard

You have an Ingress with TLS configured. The Ingress controller returns a certificate error when accessing via HTTPS. The secret 'my-tls' exists in the same namespace. Which of the following is the most likely cause?

A.The secret name in the TLS section of the Ingress does not match the actual secret name
B.The Ingress controller does not support TLS
C.The secret is in a different namespace than the Ingress
D.The certificate is not signed by a trusted CA
AnswerA

If the secret name is misspelled or does not exist, the controller cannot fetch the certificate.

Why this answer

If the Ingress TLS secret is not referenced correctly in the Ingress YAML, the controller will not use it. Option C is correct. Option A is incorrect because the secret must be in the same namespace as the Ingress.

Option B is incorrect because the Ingress controller typically handles TLS termination. Option D is incorrect because the certificate CN/SAN must match the host.

143
Multi-Selecthard

Which TWO are valid ways to create a Service from a deployment named 'frontend'? (Choose two.)

Select 2 answers
A.kubectl create service clusterip frontend --tcp=80:80
B.kubectl autoscale deployment frontend --min=1 --max=5
C.Write a YAML manifest with apiVersion: v1, kind: Service, metadata.name, spec.selector matching deployment labels, and run kubectl apply -f manifest.yaml
D.kubectl expose deployment frontend --port=80
E.kubectl run frontend --image=nginx --port=80 --expose
AnswersC, D

Writing a YAML and applying is a valid method.

Why this answer

You can create a Service by using kubectl expose on the deployment, or by writing a YAML manifest and applying it. The other options are incorrect commands.

144
MCQeasy

Refer to the exhibit. A user has created the Service shown. The application pods listen on port 8080. Which port should an external client use to access the application from outside the cluster?

A.8080
B.80
C.30007
D.30000
AnswerC

nodePort 30007 is the externally accessible port.

Why this answer

Option C is correct because the Service is of type NodePort, which exposes the application on a static port (30007) on each node's IP address. External clients can access the application by hitting any cluster node's IP on port 30007, which forwards traffic to the Service's ClusterIP on port 80, then to the pods on port 8080.

Exam trap

The trap here is that candidates confuse the Service port (80) or targetPort (8080) with the externally accessible port, failing to recognize that only the NodePort (30007) is reachable from outside the cluster.

How to eliminate wrong answers

Option A is wrong because port 8080 is the targetPort, which is the port the pods listen on inside the cluster; external clients cannot directly reach pod IPs or ports from outside. Option B is wrong because port 80 is the Service's port, which is only reachable from within the cluster via the ClusterIP; it is not exposed externally. Option D is wrong because port 30000 is not defined in the Service spec; the NodePort is explicitly set to 30007 in the YAML, and Kubernetes does not automatically assign a different NodePort unless omitted.

145
MCQhard

A pod in namespace 'app' needs to resolve the DNS name 'db-service.data.svc.cluster.local'. What is the likely namespace of the 'db-service' Service?

A.app
B.data
C.svc
D.default
AnswerB

The second part of the DNS name after the service name is the namespace.

Why this answer

The DNS format is service.namespace.svc.cluster.local. Here, 'data' is the namespace.

146
MCQhard

A Pod named `my-pod` in namespace `ns1` tries to resolve `svc-a.ns2.svc.cluster.local`. The DNS query fails. The Service `svc-a` exists in namespace `ns2`. What is the most likely cause?

A.The Service `svc-a` does not have any endpoints
B.The Pod cannot resolve names from other namespaces
C.The Service type is NodePort
D.The DNS add-on (e.g., CoreDNS) is not deployed or is misconfigured
AnswerD

If CoreDNS is not running or misconfigured, DNS resolution fails for all Services.

Why this answer

By default, a Pod can only resolve Services in its own namespace unless a fully qualified domain name (FQDN) is used. However, the FQDN `svc-a.ns2.svc.cluster.local` should work. The failure could be due to a missing cluster DNS add-on or a NetworkPolicy blocking DNS traffic.

147
Multi-Selectmedium

Which TWO statements about Kubernetes Services are correct?

Select 2 answers
A.A ClusterIP service is accessible from outside the cluster.
B.A Service provides a stable IP address and DNS name for a set of pods.
C.A Service can load balance traffic across multiple clusters.
D.A NodePort service exposes the service on a static port on each node's IP.
E.A headless service assigns a ClusterIP to the service.
AnswersB, D

Correct.

Why this answer

A is correct: Services provide stable endpoints. C is correct: NodePort exposes on a static port on each node. B is false: ClusterIP is internal.

D is false: Services do not provide load balancing across clusters. E is false: Headless services do not have ClusterIP.

148
MCQeasy

What is the correct command to forward a local port to a pod for debugging?

A.kubectl expose pod my-pod --port=8080
B.kubectl attach pod/my-pod
C.kubectl port-forward pod/my-pod 8080:80
D.kubectl proxy pod/my-pod 8080:80
AnswerC

Correct syntax.

Why this answer

`kubectl port-forward pod/my-pod 8080:80` forwards local port 8080 to pod port 80.

149
MCQmedium

What is the primary purpose of a headless Service (clusterIP: None) in Kubernetes?

A.To prevent external access to the Service.
B.To provide a stable IP address for the Service.
C.To allow DNS resolution to return all pod IPs for a StatefulSet.
D.To enable load balancing across pods.
AnswerC

Headless Services enable DNS-based pod discovery for StatefulSets.

Why this answer

Headless Services are used with StatefulSets to provide stable network identities for pods, allowing direct pod-to-pod communication without a load-balanced IP.

150
MCQmedium

Which of the following is true about Istio as a service mesh?

A.It replaces kube-proxy for service routing
B.It injects a sidecar proxy into each pod
C.It only works with HTTP traffic
D.It requires all services to be of type LoadBalancer
AnswerB

Istio injects an Envoy proxy sidecar to intercept traffic.

Why this answer

Istio uses sidecar proxies (Envoy) injected into pods to manage traffic, enforce policies, and collect telemetry. It does not replace kube-proxy but works alongside it.

← PreviousPage 2 of 3 · 204 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ckad Services Networking questions.