CCNA Ckad Services Networking Questions

54 of 204 questions · Page 3/3 · Ckad Services Networking topic · Answers revealed

151
MCQmedium

A developer needs to expose a deployment named 'web-app' running in the 'default' namespace on port 8080 internally within the cluster. Which kubectl command creates a ClusterIP service that selects pods with label 'app: web'?

A.kubectl expose deployment web-app --port=8080 --target-port=8080 --selector=app=web
B.kubectl expose deployment web-app --port=8080 --target-port=8080 --type=ClusterIP
C.kubectl run web-app --image=nginx --port=8080 --expose
D.kubectl create service clusterip web-app --tcp=8080:8080 --selector=app=web
AnswerA

Correctly specifies the selector 'app=web' and exposes port 8080.

Why this answer

The correct command uses 'kubectl expose' with the appropriate flags to create a ClusterIP service targeting port 8080 and selecting pods with label 'app=web'.

152
MCQmedium

An administrator wants to allow ingress traffic to pods with label 'app: database' only from pods with label 'app: api' in the same namespace. Which NetworkPolicy rule is correct?

A.podSelector: { matchLabels: { app: database } } ingress: - from: - ipBlock: { cidr: 10.0.0.0/8 }
B.podSelector: { matchLabels: { app: api } } ingress: - from: - podSelector: { matchLabels: { app: database } }
C.podSelector: { matchLabels: { app: database } } ingress: - from: - podSelector: { matchLabels: { app: api } }
D.podSelector: { matchLabels: { app: database } } ingress: - from: - namespaceSelector: { matchLabels: { name: default } }
AnswerC

Correct.

Why this answer

The ingress rule should select pods with label 'app: database' as the podSelector, and allow from pods with label 'app: api' via a podSelector in the from block. Option A is correct. Option B selects the wrong pods.

Option C uses namespaceSelector, which is not needed. Option D uses ipBlock, which is not appropriate.

153
MCQmedium

An admin applies the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress What effect does this policy have?

A.Allows all traffic because no rules are specified.
B.Denies all ingress and egress traffic to all pods in the namespace.
C.Only denies egress traffic; ingress is allowed.
D.Only denies ingress traffic; egress is allowed.
AnswerB

Default deny-all policy.

Why this answer

An empty podSelector selects all pods. With no rules, both ingress and egress traffic are denied by default.

154
Multi-Selectmedium

Which TWO statements about NetworkPolicy are correct? (Choose two.)

Select 2 answers
A.If no NetworkPolicy selects a pod, then that pod is isolated and traffic is denied
B.NetworkPolicy is only applicable to Services
C.NetworkPolicy is a cluster-scoped resource
D.NetworkPolicy uses labels to select pods within a namespace
E.NetworkPolicy can specify both ingress and egress rules
AnswersD, E

Correct.

Why this answer

NetworkPolicy is a namespaced resource, and if no policies select a pod, it allows all traffic by default.

155
MCQhard

An Ingress resource has the following annotation: 'kubernetes.io/ingress.class: nginx'. What is the purpose of this annotation?

A.It sets a default backend for the Ingress
B.It enables session affinity (sticky sessions)
C.It enables TLS for the Ingress
D.It specifies the Ingress controller to use (e.g., nginx)
AnswerD

Correct. It tells the cluster which ingress controller should handle this resource.

Why this answer

The annotation 'kubernetes.io/ingress.class' specifies which Ingress controller should process this Ingress resource. In Kubernetes 1.18+, this is replaced by the 'ingressClassName' field, but the annotation is still supported. Option B is correct.

Option A is wrong because it does not set the type of TLS. Option C is wrong because it does not create a default backend. Option D is wrong because it does not enable sticky sessions.

156
MCQmedium

An Ingress is configured for host-based routing with two hosts: 'app1.example.com' and 'app2.example.com'. A request to 'app1.example.com' should go to service 'svc1'. Which field in the Ingress spec specifies the host?

A.spec.rules.http.paths.host
B.spec.rules.http.host
C.spec.tls.hosts
D.spec.rules.host
AnswerD

The host field under rules.

Why this answer

In an Ingress rule, the 'host' field specifies the hostname for routing.

157
MCQmedium

A developer runs 'kubectl run nginx --image=nginx --port=80' and then creates a Service with the following YAML: apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 However, the Service has no endpoints. What is the most likely cause?

A.The Service selector 'app: nginx' does not match the pod's label 'run: nginx'
B.The Service and pod are in different namespaces
C.The Service must have a selector defined in order to have endpoints
D.The pod is not listening on port 80
AnswerA

Correct. The pod created by 'kubectl run' gets label 'run: nginx', not 'app: nginx'.

Why this answer

'kubectl run nginx --image=nginx --port=80' creates a pod with label 'run: nginx', not 'app: nginx'. The Service selects pods with 'app: nginx', so there is no match. The fix is to correct the selector.

Option A is correct. Option B is wrong because the pod is running and has ports. Option C is wrong because a Service does not need a selector to have endpoints if created manually.

Option D is wrong because the namespace is consistent.

158
MCQhard

A NetworkPolicy allows ingress traffic from pods with label 'role: frontend' in the same namespace. Which podSelector is correct?

A.ingress: - from: - podSelector: matchExpressions: - key: role operator: In values: - frontend
B.ingress: - from: - namespaceSelector: matchLabels: role: frontend
C.ingress: - from: - podSelector: matchLabels: role: frontend
D.ingress: - from: - ipBlock: cidr: 0.0.0.0/0
AnswerC

Correct. podSelector selects pods with that label.

Why this answer

The ingress 'from' rule uses podSelector to select source pods within the namespace. Option D uses namespaceSelector, which selects namespaces, not pods.

159
MCQhard

You have a Service that exposes a Deployment. Some pods are not receiving traffic. 'kubectl get endpoints my-service' shows only 2 out of 3 pod IPs. What is the most likely cause?

A.The Deployment has a wrong targetPort
B.The Service type is NodePort
C.One pod has a different label than the Service selector
D.One pod is not ready (readiness probe failing)
AnswerD

Only ready pods are included as endpoints.

Why this answer

Endpoints only include ready pods. One pod may not be passing readiness probes.

160
MCQeasy

Which Service type is used to expose a service externally on a static port on each worker node?

A.NodePort
B.ExternalName
C.ClusterIP
D.LoadBalancer
AnswerA

NodePort exposes the service on a static port on each node's IP.

Why this answer

NodePort services expose a port on each node's IP address, allowing external access. Option B is correct.

161
MCQmedium

You need to debug a Service that is not routing traffic to its endpoints. Which command shows the current endpoints of a Service?

A.kubectl describe service my-service
B.kubectl get svc my-service -o wide
C.kubectl get pods -l app=my-app
D.kubectl get endpoints my-service
AnswerD

Shows the endpoints for the Service.

Why this answer

The 'kubectl get endpoints' command shows the endpoints (pods) that a Service is routing to. The shorthand is 'ep'.

162
MCQmedium

You need to access a database pod 'db-pod' on port 5432 from your local machine. Which command forwards local port 15432 to the pod's port 5432?

A.kubectl proxy --port=15432 db-pod:5432
B.kubectl port-forward pod/db-pod 15432:5432
C.kubectl expose pod db-pod --port=15432 --target-port=5432
D.kubectl port-forward db-pod 5432:15432
AnswerB

Correct syntax and port mapping.

Why this answer

The correct command is 'kubectl port-forward pod/db-pod 15432:5432'. This forwards local port 15432 to the pod's port 5432.

163
MCQeasy

A pod named 'debug' is running. Which command forwards local port 4000 to port 80 on the pod?

A.kubectl exec debug -- socat TCP-LISTEN:4000 TCP:localhost:80
B.kubectl port-forward pod debug 4000:80
C.kubectl port-forward pod/debug 4000:80
D.kubectl proxy --port=4000 --target=80
AnswerC

Correct syntax.

Why this answer

'kubectl port-forward' is used to forward a local port to a pod port. The correct syntax is 'kubectl port-forward pod/debug 4000:80'.

164
MCQmedium

You have a headless Service for a StatefulSet. What is the DNS resolution behavior for the StatefulSet pods?

A.DNS is disabled for headless Services.
B.The Service name resolves to the IP of the first pod only.
C.All pods share a single cluster IP via the Service.
D.Each pod gets a DNS A record pointing to its individual IP.
AnswerD

Headless Service returns pod IPs, not a single cluster IP.

Why this answer

Option A is correct. Headless Services (clusterIP: None) enable DNS to return pod IPs directly, allowing each pod to be reachable via its own DNS name (pod-name.service-name.namespace.svc.cluster.local).

165
Multi-Selectmedium

Which TWO of the following are valid ways to expose a Service externally in a Kubernetes cluster?

Select 2 answers
A.Service type ClusterIP
B.Service type ExternalName
C.Service type LoadBalancer
D.Service type NodePort
E.Ingress resource with ClusterIP Service
AnswersC, D

LoadBalancer provisions external LB.

Why this answer

Service type LoadBalancer (C) exposes the Service externally by provisioning a cloud load balancer (e.g., AWS ELB, GCP L7) that routes external traffic to the Service's ClusterIP. Service type NodePort (D) exposes the Service on a static port (30000-32767) on every node's IP, allowing external access via <NodeIP>:<NodePort>. Both are valid methods for external exposure in Kubernetes.

Exam trap

The trap here is that candidates often think Ingress alone can expose a Service externally, but Ingress is only a routing layer that requires an underlying Service of type NodePort or LoadBalancer to actually receive external traffic.

166
MCQhard

You want to restrict ingress traffic to pods with label 'app: web' in namespace 'frontend' to only come from pods in namespace 'backend'. Which NetworkPolicy YAML is correct?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend namespace: frontend spec: podSelector: matchLabels: app: web policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: backend
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend namespace: backend spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: frontend
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend namespace: frontend spec: podSelector: matchLabels: app: web ingress: - from: - ipBlock: cidr: 0.0.0.0/0
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend namespace: frontend spec: podSelector: matchLabels: app: web policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: backend
AnswerA

This selects pods with label 'app: web' in 'frontend' and allows ingress from any pod in namespace 'backend'.

Why this answer

To allow ingress only from pods in namespace 'backend', you need to use namespaceSelector under from, and also select the pod (optional if any pod). The correct YAML has a namespaceSelector matching the namespace label for 'backend'.

167
MCQmedium

A pod in namespace 'default' cannot resolve the service name 'db' in namespace 'data'. Which DNS name should the pod use to reach the service?

A.db.default.svc.cluster.local
B.data.db.svc.cluster.local
C.db.data.svc.cluster.local
D.db.svc.data.cluster.local
AnswerC

Correct. The format is <service>.<namespace>.svc.cluster.local.

Why this answer

Cross-namespace DNS requires the full service name: 'service.namespace.svc.cluster.local'.

168
MCQmedium

You apply the following Ingress manifest: ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress spec: ingressClassName: nginx rules: - host: app.example.com http: paths: - pathType: Prefix path: / backend: service: name: app-svc port: number: 80 ``` What is missing to enable TLS termination for this Ingress?

A.Create a ConfigMap with the TLS certificate
B.Set `service.beta.kubernetes.io/load-balancer-source-ranges` annotation on the Service
C.Change the Ingress API version to extensions/v1beta1
D.Add `tls` section under spec with hosts and secretName
AnswerD

The tls section is required to configure TLS termination.

Why this answer

To enable TLS, you must specify a `tls` block with hosts and a secret name containing the certificate.

169
MCQeasy

Which of the following is true about headless services?

A.It performs round-robin load balancing across pods
B.It has no cluster IP; DNS returns the IPs of the pods
C.It provides a single DNS record for the service
D.It must not have a selector
AnswerB

Correct. The clusterIP is set to None, and DNS returns pod IPs.

Why this answer

A headless service is created by setting clusterIP: None. It does not have a cluster IP; instead, DNS returns the IP addresses of the pods matching the selector. This is useful for StatefulSets.

Option C is correct. Option A is false because it does have a DNS record. Option B is false because it does not perform load balancing.

Option D is false because it can have a selector.

170
MCQeasy

Which of the following commands creates a LoadBalancer Service named `web-svc` for a Deployment named `web` on port 80?

A.kubectl create service web-svc --port=80 --type=LoadBalancer
B.kubectl expose deployment web --name=web-svc --port=80 --type=LoadBalancer
C.kubectl create deployment web --expose --port=80 --type=LoadBalancer
D.kubectl expose pod web --port=80 --type=LoadBalancer
AnswerB

Correct syntax.

Why this answer

The `kubectl expose` command with `--type=LoadBalancer` creates a LoadBalancer Service.

171
MCQhard

A Service of type LoadBalancer is created but the external IP remains <pending>. What is the most likely reason?

A.The Service port is already in use
B.The Service selector does not match any Pods
C.The cluster does not have a cloud provider configured
D.The Pods are not listening on the container port
AnswerC

Without a cloud controller, no LB is provisioned.

Why this answer

A LoadBalancer Service in Kubernetes relies on an external cloud provider (e.g., AWS, GCP, Azure) to provision a real load balancer and assign its external IP. If no cloud provider is configured (e.g., in a bare-metal or Minikube cluster), the external IP will remain <pending> indefinitely because there is no controller to allocate the IP.

Exam trap

The trap here is that candidates often confuse a LoadBalancer's external IP assignment with Pod readiness or port availability, but the core requirement is a functioning cloud provider integration to allocate the external IP.

How to eliminate wrong answers

Option A is wrong because a port conflict would cause the Service creation to fail or the NodePort assignment to error, not leave the external IP as <pending>. Option B is wrong because mismatched selectors would result in no endpoints for the Service, but the external IP would still be assigned by the cloud provider if one were configured. Option D is wrong because Pods not listening on the container port would cause connection failures, but the LoadBalancer external IP assignment is independent of Pod readiness.

172
MCQmedium

You have a Deployment named 'web-app' with 3 replicas. You want to expose the pods on port 80 internally within the cluster using a ClusterIP service. Which kubectl command should you use?

A.kubectl expose deployment web-app --port=80 --target-port=8080
B.kubectl create service clusterip web-app --tcp=80:8080
C.kubectl create service nodeport web-app --tcp=80:8080
D.kubectl expose pod web-app --port=80 --target-port=8080
AnswerA

This creates a ClusterIP service targeting the Deployment's pods on port 80.

Why this answer

The 'kubectl expose' command with appropriate flags creates a ClusterIP service by default. Option B is the correct command.

173
MCQeasy

Which command creates a Service named 'my-svc' that exposes a deployment named 'my-deploy' on port 80?

A.kubectl create service my-svc --port=80 --target-port=80
B.kubectl run my-svc --expose --port=80 --image=my-image
C.kubectl create svc clusterip my-svc --tcp=80:80
D.kubectl expose deployment my-deploy --name=my-svc --port=80
AnswerD

Correct command to create a Service from a deployment.

Why this answer

The 'kubectl expose' command is used to create a Service from a resource. The correct syntax is 'kubectl expose deployment my-deploy --name=my-svc --port=80'.

174
Multi-Selectmedium

Which TWO statements about Kubernetes Services are correct? (Choose two.)

Select 2 answers
A.Services can only route traffic based on named ports.
B.A Service provides a stable endpoint for a set of pods.
C.A Service uses label selectors to identify the target pods.
D.Services can only route traffic to pods in the same namespace.
E.Every Service must have a cluster IP assigned.
AnswersB, C

Services provide a stable IP and DNS name.

Why this answer

Option B is correct because a Kubernetes Service provides a stable virtual IP and DNS name that remains constant even as the underlying pods are created, destroyed, or rescheduled. This decouples clients from the ephemeral nature of pod IPs, ensuring reliable connectivity to the pod group.

Exam trap

The trap here is that candidates often assume Services require a cluster IP or can only use named ports, but the CKAD exam tests knowledge of headless Services and the flexibility of port definitions.

175
MCQeasy

Which of the following commands creates a ClusterIP service named 'my-service' that exposes port 80 on the pod with label 'app=web'?

A.kubectl expose deployment my-deployment --port=80 --name=my-service
B.kubectl expose pod my-pod --port=80 --target-port=8080 --name=my-service
C.kubectl create service clusterip my-service --tcp=80:8080 --cluster-ip=10.0.0.1
D.kubectl expose deployment my-deployment --type=NodePort --port=80 --name=my-service
AnswerA

Assumes 'my-deployment' has label 'app=web' and creates a ClusterIP service by default.

Why this answer

Option B is correct. 'kubectl expose pod my-pod --port=80 --name=my-service' creates a service. However, to use a label selector, the correct command is 'kubectl expose deployment my-deployment --port=80 --name=my-service'. Option A uses '--target-port' which is incorrect for initial exposure; Option C incorrectly specifies '--cluster-ip' without value; Option D creates a NodePort service.

So B is the best match.

176
Multi-Selecthard

Which THREE of the following are true regarding NetworkPolicy in Kubernetes?

Select 3 answers
A.By default, all traffic is allowed unless a NetworkPolicy selects the pod
B.You can allow traffic from pods in another namespace using namespaceSelector and podSelector
C.NetworkPolicy can block traffic to a specific port on the node's IP
D.NetworkPolicy can restrict egress traffic from pods
E.NetworkPolicy resources can be applied to the kube-system namespace to restrict system pods
AnswersA, B, D

Correct. NetworkPolicy is additive; default allow.

Why this answer

Option A is true: NetworkPolicy is an additive rule; if no policy selects a pod, traffic is allowed by default. Option C is true: you can allow traffic from specific pods in other namespaces using namespaceSelector combined with podSelector. Option D is true: egress rules can restrict outbound traffic.

Option B is false: NetworkPolicy cannot block traffic to a specific port on the node; it works at the pod level. Option E is false: NetworkPolicy cannot enforce rules for the kube-system namespace unless explicitly created there.

177
MCQmedium

A developer creates a Service named 'backend' in namespace 'default'. The service targets pods with label 'app: backend'. From within a pod in the same namespace, which DNS name resolves to the service's ClusterIP?

A.backend
B.backend.default.svc.cluster.local
C.backend.svc.cluster.local
D.backend.default.cluster.local
AnswerA

Correct. Within the same namespace, the service can be reached by its name only.

Why this answer

The short form 'backend' works for services in the same namespace. The full DNS name is 'backend.default.svc.cluster.local', but within same namespace, just 'backend' is sufficient.

178
MCQeasy

Which of the following Ingress controllers is commonly used in Kubernetes?

A.IIS
B.Apache
C.NGINX
D.Tomcat
AnswerC

NGINX Ingress controller is widely used.

Why this answer

NGINX is one of the most common Ingress controllers, along with others like Traefik, HAProxy, and Contour.

179
Multi-Selecteasy

Which TWO are valid port names in a Service definition?

Select 2 answers
A.my_port
B.Port-1
C.123
D.grpc
AnswersD, E

Valid lowercase name.

Why this answer

Port names must follow IANA service names; they can contain lowercase letters, numbers, and hyphens. 'http' and 'grpc' are valid. 'my_port' is invalid due to underscore. '123' is invalid (must start with letter). 'Port-1' contains uppercase P.

180
MCQhard

A NetworkPolicy with the following spec is applied to a namespace. What is the effect? spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 10.0.0.0/8 except: - 10.0.1.0/24 egress: - to: - ipBlock: cidr: 0.0.0.0/0

A.Deny all ingress and egress traffic
B.Allow all ingress and egress traffic
C.Deny all ingress traffic except from 10.0.0.0/8 excluding 10.0.1.0/24; allow all egress
D.Allow ingress from 10.0.1.0/24 only
AnswerC

This matches the policy rules.

Why this answer

The empty podSelector applies to all pods in the namespace. Ingress allows traffic from 10.0.0.0/8 except 10.0.1.0/24. Egress allows all traffic.

No default deny because ingress and egress rules are present.

181
MCQeasy

You need to forward a local port to port 8080 on a pod named 'my-pod' in the 'default' namespace. Which kubectl command should you use?

A.kubectl port-forward pod/my-pod 8080:80
B.kubectl port-forward pod/my-pod 8080:8080
C.kubectl forward pod/my-pod 8080:8080
D.kubectl port-forward my-pod 8080
AnswerB

Forwards local port 8080 to pod port 8080.

Why this answer

The kubectl port-forward command is used to forward local ports to a pod.

182
MCQhard

During a security audit, it is discovered that a pod running a database is accessible from any other pod in the cluster. The database should only be accessible by pods with label 'role: backend'. Which resource should be applied to enforce this restriction?

A.An Ingress resource with TLS
B.A Service of type ClusterIP with a firewall rule
C.A NetworkPolicy with an ingress rule selecting pods with label 'role: backend'
D.A PodSecurityPolicy
AnswerC

NetworkPolicy controls pod-to-pod traffic based on labels.

Why this answer

Option C is correct because a NetworkPolicy with an ingress rule that selects pods with label 'role: backend' explicitly restricts inbound traffic to the database pod to only those pods that match that label. NetworkPolicies are Kubernetes-native resources that enforce firewall rules at the IP address or port level (OSI layer 3 or 4) using the pod's labels as selectors, and they are the standard mechanism for controlling pod-to-pod traffic within a cluster.

Exam trap

The trap here is that candidates often confuse NetworkPolicies with Services or Ingress, assuming that a Service's ClusterIP or an Ingress rule can control internal pod access, but NetworkPolicies are the only native Kubernetes resource that enforces pod-level network segmentation within the cluster.

How to eliminate wrong answers

Option A is wrong because an Ingress resource operates at layer 7 (HTTP/HTTPS) and is designed to manage external traffic into the cluster, not internal pod-to-pod communication; it cannot restrict access between pods inside the cluster. Option B is wrong because a Service of type ClusterIP provides a stable virtual IP for load balancing but does not enforce traffic filtering; firewall rules are not a native Kubernetes resource and would require external tools (e.g., cloud provider firewalls) that operate at the cluster boundary, not between pods. Option D is wrong because a PodSecurityPolicy (deprecated in Kubernetes 1.21 and removed in 1.25) controls security-sensitive aspects of pod specs (e.g., privileged containers, host namespaces), not network traffic between pods.

183
MCQeasy

You want to expose a Deployment named 'nginx' on port 80 using a LoadBalancer service. Which YAML snippet is correct?

A.apiVersion: v1 kind: Service metadata: name: nginx-svc spec: type: NodePort ports: - port: 80 selector: app: nginx
B.apiVersion: v1 kind: Service metadata: name: nginx-svc spec: type: LoadBalancer ports: - port: 80 targetPort: 80 selector: app: nginx
C.apiVersion: v1 kind: Service metadata: name: nginx-svc spec: type: LoadBalancer ports: - port: 80 selector: app: nginx
D.apiVersion: apps/v1 kind: Service metadata: name: nginx-svc spec: type: LoadBalancer ports: - port: 80 selector: app: nginx
AnswerC

Correct syntax for a LoadBalancer service.

Why this answer

LoadBalancer services have type: LoadBalancer and a selector pointing to the Deployment's pods.

184
MCQeasy

Which of the following Service types exposes a pod on a static port on each node's IP address?

A.LoadBalancer
B.ExternalName
C.ClusterIP
D.NodePort
AnswerD

NodePort exposes the Service on each Node's IP at a static port.

Why this answer

NodePort Service exposes the Service on each Node's IP at a static port (the NodePort). A NodePort Service is accessible from outside the cluster by requesting <NodeIP>:<NodePort>.

185
MCQmedium

A user runs 'kubectl get endpoints my-service' and sees no endpoints listed. The service has a selector 'app: my-app'. Pods with that label exist and are running. What is the most likely cause?

A.The service selector does not match the pod labels
B.The pods are not assigned an IP address
C.The service name is incorrect
D.The pods are not ready (readiness probe failing)
AnswerA

The endpoints controller watches for pods matching the service's selector. If labels don't match, no endpoints are added.

Why this answer

If the service selector does not match the pod labels, the endpoints controller will not populate endpoints. Option B is correct. Option A is incorrect because pod IPs are assigned.

Option C is incorrect because the service exists. Option D is incorrect because readiness probes affect whether a pod is included in endpoints, but if no pods match the selector, that's the primary issue.

186
MCQmedium

You have a Deployment with 3 replicas. You create a Service with 'clusterIP: None'. What is the effect on pod DNS?

A.Each pod gets its own DNS record in the form <pod-ip>.<service>.<namespace>.svc.cluster.local
B.DNS returns the IPs of all matching pods.
C.The Service name does not resolve to any IP; DNS fails.
D.The Service name resolves to a single virtual IP that load balances across pods.
AnswerB

Headless Service returns pod IPs directly.

Why this answer

Option B is correct. A headless Service (clusterIP: None) causes DNS to return the IP addresses of all pods that match the selector, enabling DNS-based pod discovery.

187
MCQmedium

You have a Deployment running three replicas of a web application. You need to expose the application on port 80 of all cluster nodes. Which Service type should you use?

A.LoadBalancer
B.NodePort
C.ExternalName
D.ClusterIP
AnswerB

NodePort exposes the service on each node's IP at a static port.

Why this answer

NodePort exposes a service on a static port on each node's IP address, making the service accessible from outside the cluster via nodeIP:nodePort.

188
Matchingmedium

Match each Kubernetes term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs before app containers; for setup tasks

Helper container that runs alongside the main container

Pod managed directly by the kubelet without API server

Temporary container for debugging running pods

Pod with multiple containers sharing the same network and storage

Why these pairings

These are special container patterns in Kubernetes.

189
Multi-Selecthard

Which THREE of the following are valid fields in a NetworkPolicy spec?

Select 3 answers
A.podSelector
B.ingress
C.policyTypes
D.namespaceSelector
E.ipBlock
AnswersA, B, C

Required field to select pods.

Why this answer

Options B, C, and E are correct. A NetworkPolicy spec includes 'podSelector', 'policyTypes', 'ingress', and 'egress'. Option A 'namespaceSelector' is a field within ingress/egress rules, not directly in spec.

Option D 'ipBlock' is within ingress/egress rules. So B, C, E are top-level fields.

190
Multi-Selecthard

Which THREE conditions must be met for a NetworkPolicy to effectively isolate a set of pods?

Select 3 answers
A.The NetworkPolicy must have a non-empty podSelector that matches the target pods
B.The namespace must have a default deny-all NetworkPolicy
C.The pods must have the label 'networking/allow-external'
D.The policy must include 'policyTypes: - Ingress' to deny by default
E.The NetworkPolicy must be in the same namespace as the pods
AnswersA, D, E

Otherwise it may apply to all pods or none.

Why this answer

NetworkPolicy must have a podSelector that selects the target pods, the policyTypes must include Ingress and/or Egress, and the rules must define allowed traffic. By default, if no NetworkPolicy applies, all traffic is allowed.

191
MCQmedium

Which command forwards local port 8080 to port 80 of a pod named 'web-pod'?

A.kubectl port-forward service/web-service 8080:80
B.kubectl port-forward pod/web-pod 8080:80
C.kubectl port-forward deployment/web-deployment 8080:80
D.kubectl port-forward pod/web-pod 80:8080
AnswerB

Correct syntax: local_port:pod_port.

Why this answer

Option C is correct. 'kubectl port-forward pod/web-pod 8080:80' forwards local port 8080 to pod port 80. Option A incorrectly places local port after colon. Option B uses deployment.

Option D uses service, not pod.

192
MCQhard

An Ingress resource uses host-based routing. Which field in the Ingress YAML specifies the host header to match?

A.metadata.annotations['nginx.ingress.kubernetes.io/rewrite-target']
B.spec.rules[].host
C.spec.tls[].hosts
D.spec.rules[].http.paths[].host
AnswerB

Correct: host field under rules.

Why this answer

Option A is correct. In an Ingress rule, the 'host' field under 'spec.rules[].host' specifies the fully qualified domain name to match.

193
MCQeasy

Which kubectl command forwards local port 8080 to port 80 of a pod named 'web-pod'?

A.kubectl port-forward pod/web-pod 80:8080
B.kubectl expose pod web-pod --port=8080 --target-port=80
C.kubectl proxy pod/web-pod 8080:80
D.kubectl port-forward pod/web-pod 8080:80
AnswerD

Correct: local 8080 to pod 80.

Why this answer

Option B is correct. The format is 'kubectl port-forward <pod-name> <local-port>:<pod-port>'.

194
MCQhard

You need to allow ingress traffic to pods with label 'app: web' from pods with label 'role: frontend' in the same namespace, and also from any pod in namespace 'monitoring'. Which NetworkPolicy egress/ingress rule correctly implements this?

A.spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: name: monitoring - podSelector: matchLabels: role: frontend
B.spec: podSelector: matchLabels: app: web ingress: - from: - podSelector: matchLabels: role: frontend namespaceSelector: matchLabels: name: monitoring
C.spec: podSelector: matchLabels: app: web ingress: - from: - podSelector: matchLabels: role: frontend - namespaceSelector: matchLabels: name: monitoring
D.spec: podSelector: matchLabels: app: web ingress: - from: - podSelector: matchLabels: role: frontend - from: - namespaceSelector: matchLabels: name: monitoring
AnswerC

Correct: two separate from entries for each source.

Why this answer

Option A is correct. The ingress rule has two from entries: one for pods with label 'role: frontend' (namespaceSelector with empty namespaceSelector means current namespace) and another for all pods in namespace 'monitoring' (namespaceSelector with matchLabels).

195
MCQhard

An Ingress resource has the following spec. What is the effect? spec: tls: - hosts: - myapp.example.com secretName: myapp-tls rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: myapp port: number: 80

A.Ingress terminates TLS using the secret and routes to the service.
B.Ingress uses the secret for client authentication.
C.Ingress redirects HTTP to HTTPS automatically.
D.Ingress passes the TLS connection through to the service.
AnswerA

Correct interpretation.

Why this answer

The Ingress terminates TLS for the host myapp.example.com using the secret 'myapp-tls' and then routes HTTP traffic to the service 'myapp' on port 80. This is a typical TLS termination configuration.

196
MCQmedium

You need to create a NetworkPolicy that denies all ingress traffic to pods with label 'app: db' in namespace 'prod'. Which YAML snippet correctly implements this?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-db namespace: prod spec: podSelector: matchLabels: app: db policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 0.0.0.0/0
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all namespace: prod spec: podSelector: {} policyTypes: - Ingress ingress: - from: []
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress ingress: []
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-db namespace: prod spec: podSelector: matchLabels: app: db policyTypes: - Ingress ingress: []
AnswerD

This selects pods with label 'app: db' in namespace 'prod' and has no ingress rules, thus denying all ingress traffic.

Why this answer

To deny all ingress traffic, you create a NetworkPolicy that selects the pods and has an empty ingress rule (or no ingress rules, which denies all). The correct way is to specify podSelector with the label and have no ingress rules (or an empty ingress array).

197
MCQhard

A NetworkPolicy is applied to a namespace with the following rules: ``` apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress ``` What is the effect on pods in that namespace?

A.All inbound traffic is denied, outbound traffic is allowed
B.All traffic is allowed
C.Only traffic from specific namespaces is allowed
D.All inbound and outbound traffic is denied
AnswerA

Correct.

Why this answer

This policy selects all pods and only specifies Ingress, so all incoming traffic to pods is denied unless other policies allow it. Egress is unaffected.

198
Multi-Selecthard

Which TWO statements about Kubernetes DNS are correct?

Select 2 answers
A.The kube-dns service is responsible for DNS resolution
B.A service named 'api' in namespace 'prod' has DNS name 'api.prod.svc.cluster.local'
C.Pods with hostNetwork: true automatically get DNS entries
D.Headless services also have DNS A records for each pod
E.A pod's DNS name is always 'pod-ip.namespace.pod.cluster.local'
AnswersB, D

Standard service DNS format.

Why this answer

Pod DNS uses the pod's IP with dots replaced by dashes. Service DNS format is 'service.namespace.svc.cluster.local'. Pods with hostNetwork do not get DNS by default.

DNS can be customized via CoreDNS.

199
Multi-Selecteasy

Which TWO are valid ways to create a Service in Kubernetes?

Select 2 answers
A.Using kubectl apply -f service.yaml
B.Using kubectl create service clusterip myservice --tcp=80:80
C.Using kubectl create deployment mydeploy --image=nginx --expose
D.Using kubectl run mypod --image=nginx --expose
E.Using kubectl expose deployment mydeploy --port=80
AnswersA, E

Applies a YAML manifest.

Why this answer

A and B are correct. kubectl expose creates a service from a resource. YAML manifest can be applied. C is incorrect because 'create service' doesn't automatically select pods.

D creates a pod, not a service. E is not a command.

200
MCQhard

An Ingress resource is defined as: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: test-ingress spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 tls: - hosts: - example.com secretName: tls-secret What must exist in the cluster for TLS termination to work?

A.An IngressClass annotation specifying the ingress controller
B.A ServiceAccount named tls-secret
C.A Secret named tls-secret of type kubernetes.io/tls in the same namespace
D.A ConfigMap named tls-secret with certificate data
AnswerC

The Ingress controller reads the TLS certificate from this secret.

Why this answer

For TLS termination, a Kubernetes Secret of type kubernetes.io/tls named 'tls-secret' must exist in the same namespace as the Ingress, containing the TLS certificate and key.

201
MCQhard

An ingress resource is created with the following spec. Which request will be routed to the 'green' service? ```yaml spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: blue port: number: 80 - path: /api/v1 pathType: Exact backend: service: name: green port: number: 80 ```

A.http://example.com/api/v1
B.http://example.com/api/v1/
C.http://example.com/api
D.http://example.com/
AnswerA

Matches Exact /api/v1, so routed to green.

Why this answer

The path /api/v1 matches exactly, so requests to http://example.com/api/v1 go to green. The Prefix path /api would also match /api/v1, but Exact paths take precedence over Prefix paths when they match exactly.

202
MCQeasy

A Service of type LoadBalancer is created but the external IP remains pending. What is the most likely reason?

A.The service selector does not match any pods
B.The service port is already in use
C.The cluster does not have a load balancer controller
D.The namespace has a NetworkPolicy blocking traffic
AnswerC

Without a controller, the external IP remains pending.

Why this answer

LoadBalancer type requires an external load balancer controller (e.g., cloud provider) to assign an IP. If none is present, the IP stays pending.

203
Multi-Selectmedium

Which TWO statements about Services are true? (Choose two.)

Select 2 answers
A.A Service of type LoadBalancer automatically creates a NodePort Service.
B.A Service of type ClusterIP is accessible from outside the cluster.
C.A Service of type ExternalName requires a selector to route traffic.
D.A headless Service has clusterIP set to "0.0.0.0".
E.A Service of type NodePort exposes the Service on a static port on each Node's IP.
AnswersA, E

LoadBalancer builds on NodePort by creating a NodePort automatically.

Why this answer

ClusterIP Services are only accessible within the cluster. NodePort exposes the Service on a static port on each node. LoadBalancer builds on NodePort.

ExternalName does not have selectors.

204
MCQmedium

A Service of type NodePort is created with 'spec.ports[0].nodePort: 30080'. The cluster nodes have IPs 10.0.0.1, 10.0.0.2. Which command can be used to test connectivity to the Service from outside the cluster?

A.curl 10.0.0.1:30080
B.curl 10.0.0.1:80 --header 'Host: service.namespace.svc.cluster.local'
C.curl 10.0.0.1:80
D.curl 10.96.0.1:30080
AnswerA

Correct: NodePort is exposed on each node's IP at the specified nodePort.

Why this answer

Option B is correct. NodePort Services are reachable on any node's IP at the nodePort port. 'curl 10.0.0.1:30080' will hit the Service.

← PreviousPage 3 of 3 · 204 questions total

Ready to test yourself?

Try a timed practice session using only Ckad Services Networking questions.