Sample questions
Kubernetes and Cloud Native Associate KCNA practice questions
Match each Kubernetes resource to its primary purpose.
Drag a concept onto its matching description — or click a concept then click the description.
Smallest deployable unit containing one or more containers
Stable network endpoint to access a set of Pods
Stores non-sensitive configuration data as key-value pairs
Cluster-wide storage resource provisioned by an administrator
Manages external access to services, typically HTTP
Match each Kubernetes security concept to its definition.
Drag a concept onto its matching description — or click a concept then click the description.
Identity for processes running in a pod
Role-based access control to authorize API requests
Specifies how groups of pods are allowed to communicate
Deprecated but formerly controlled security-sensitive pod settings
Stores sensitive data like passwords and tokens
A team observes that a Pod is stuck in CrashLoopBackOff. The Pod runs a single container with an entrypoint that exits with non-zero code after a few seconds. The team wants to inspect the container's logs to understand why it is crashing. Which command should they use?
Trap 1: kubectl get pods
Lists Pods but does not show logs.
Trap 2: kubectl describe pod <pod-name>
Describes Pod status but not logs.
Trap 3: kubectl exec -it <pod-name> -- sh
Requires a running container; crashing Pod may not allow exec.
- A
kubectl get pods
Why wrong: Lists Pods but does not show logs.
- B
kubectl logs <pod-name> --previous
Shows logs from the previous container instance, useful for crash logs.
- C
kubectl describe pod <pod-name>
Why wrong: Describes Pod status but not logs.
- D
kubectl exec -it <pod-name> -- sh
Why wrong: Requires a running container; crashing Pod may not allow exec.
An application running in a Kubernetes cluster needs to securely access a third-party API. The API key must be stored in the cluster and mounted into the Pod as an environment variable. Which is the best practice?
Trap 1: Store the API key in a ConfigMap and reference it in the Pod spec.
ConfigMaps are for non-confidential data; Secrets are for sensitive data.
Trap 2: Embed the API key directly in the container image.
Embedding secrets in images is insecure and violates best practices.
Trap 3: Store the API key in a Pod annotation and read it with kubectl.
Annotations are not meant for secrets; they are metadata and not secure.
- A
Create a Secret with the API key and use envFrom or valueFrom in the Pod spec.
Secrets are designed for confidential data and can be injected as environment variables.
- B
Store the API key in a ConfigMap and reference it in the Pod spec.
Why wrong: ConfigMaps are for non-confidential data; Secrets are for sensitive data.
- C
Embed the API key directly in the container image.
Why wrong: Embedding secrets in images is insecure and violates best practices.
- D
Store the API key in a Pod annotation and read it with kubectl.
Why wrong: Annotations are not meant for secrets; they are metadata and not secure.
A company is adopting a GitOps workflow for their Kubernetes deployments. They want to ensure that the cluster state always matches the desired state defined in a Git repository. Which tool is specifically designed for this purpose?
Trap 1: Helm
Helm is a package manager for Kubernetes, not a GitOps operator.
Trap 2: Kustomize
Kustomize is for customizing Kubernetes manifests, not for continuous sync.
Trap 3: Prometheus
Prometheus is a monitoring system, not a GitOps tool.
- A
Helm
Why wrong: Helm is a package manager for Kubernetes, not a GitOps operator.
- B
Argo CD
Argo CD is a GitOps tool that syncs cluster state with a Git repository.
- C
Kustomize
Why wrong: Kustomize is for customizing Kubernetes manifests, not for continuous sync.
- D
Prometheus
Why wrong: Prometheus is a monitoring system, not a GitOps tool.
Match each Kubernetes networking concept to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Default service type; exposes service on a cluster-internal IP
Exposes service on each node's IP at a static port
Exposes service externally using a cloud provider's load balancer
Service without a cluster IP; used for direct pod-to-pod communication
Implements traffic routing rules defined by Ingress resources
A DevOps team notices that a microservice is returning 503 errors intermittently. The service runs in Kubernetes and uses a liveness probe. The team wants to understand the root cause without restarting the pod. Which observability approach should they use first?
Trap 1: Use kubectl describe pod to check recent events
Events may not capture every probe failure, especially if they are short-lived.
Trap 2: Increase log verbosity in the application to capture all requests
Logs may not capture probe failures, and increasing verbosity can impact performance.
Trap 3: Enable distributed tracing across the service mesh
Tracing is for request flows, not probe health checks.
- A
Use kubectl describe pod to check recent events
Why wrong: Events may not capture every probe failure, especially if they are short-lived.
- B
Query Prometheus for kubelet metrics on probe successes and failures
Metrics like 'probe_success' from kubelet can show probe status over time, helping identify intermittent failures.
- C
Increase log verbosity in the application to capture all requests
Why wrong: Logs may not capture probe failures, and increasing verbosity can impact performance.
- D
Enable distributed tracing across the service mesh
Why wrong: Tracing is for request flows, not probe health checks.
A startup wants to minimize downtime during application updates in Kubernetes. Which deployment strategy should they use?
Trap 1: Canary
Not a native deployment strategy; typically implemented via progressive delivery tools.
Trap 2: Blue/Green
Not a native Kubernetes deployment strategy; requires additional tooling.
Trap 3: Recreate
Terminates all old pods before creating new ones, causing downtime.
- A
RollingUpdate
Replaces pods incrementally, maintaining availability.
- B
Canary
Why wrong: Not a native deployment strategy; typically implemented via progressive delivery tools.
- C
Blue/Green
Why wrong: Not a native Kubernetes deployment strategy; requires additional tooling.
- D
Recreate
Why wrong: Terminates all old pods before creating new ones, causing downtime.
A cluster has a node with the taint 'node-role.kubernetes.io/control-plane:NoSchedule'. A pod must be scheduled on this node for a special workload. Which action is required?
Trap 1: Use a nodeSelector to select the node.
Incorrect; nodeSelector cannot bypass taints.
Trap 2: Remove the taint from the node.
Incorrect; removing the taint allows all pods, not just the special one.
Trap 3: Use podAffinity to attract the pod to the node.
Incorrect; affinity does not override taints.
- A
Use a nodeSelector to select the node.
Why wrong: Incorrect; nodeSelector cannot bypass taints.
- B
Remove the taint from the node.
Why wrong: Incorrect; removing the taint allows all pods, not just the special one.
- C
Add a toleration to the pod spec.
Correct; toleration allows the pod to be scheduled on the tainted node.
- D
Use podAffinity to attract the pod to the node.
Why wrong: Incorrect; affinity does not override taints.
A team wants to minimize downtime during a Deployment rollout. Which strategy ensures that new pods are created before old pods are terminated?
Trap 1: Set strategy type to 'Recreate'.
Recreate terminates all old pods first, causing downtime.
Trap 2: Set strategy type to 'RollingUpdate' with maxSurge=0,…
This allows one pod to be unavailable during update.
Trap 3: Set strategy type to 'RollingUpdate' with maxSurge=1,…
This allows one pod to be unavailable.
- A
Set strategy type to 'Recreate'.
Why wrong: Recreate terminates all old pods first, causing downtime.
- B
Set strategy type to 'RollingUpdate' with maxSurge=0, maxUnavailable=1.
Why wrong: This allows one pod to be unavailable during update.
- C
Set strategy type to 'RollingUpdate' with maxSurge=1, maxUnavailable=0.
New pods are created first, ensuring zero downtime.
- D
Set strategy type to 'RollingUpdate' with maxSurge=1, maxUnavailable=1.
Why wrong: This allows one pod to be unavailable.
An administrator notices that a pod in a Deployment is stuck in CrashLoopBackOff. The pod logs show 'Error: failed to start container: exec: "app": executable file not found in $PATH'. What is the most likely cause?
Trap 1: The image registry credentials are missing
Missing credentials would cause ImagePullBackOff, not CrashLoopBackOff with this error.
Trap 2: The liveness probe is misconfigured and killing the container
A failing probe would show probe failures in events, not an exec error.
Trap 3: The container is running as a non-root user without proper…
Permission issues would show 'permission denied', not 'executable file not found'.
- A
The image registry credentials are missing
Why wrong: Missing credentials would cause ImagePullBackOff, not CrashLoopBackOff with this error.
- B
The liveness probe is misconfigured and killing the container
Why wrong: A failing probe would show probe failures in events, not an exec error.
- C
The container is running as a non-root user without proper permissions
Why wrong: Permission issues would show 'permission denied', not 'executable file not found'.
- D
The container image does not contain the binary specified in the pod's command field
The exec error shows the binary is missing, likely due to a typo or wrong image.
An administrator needs to ensure that Pods from two different Deployments cannot communicate with each other. Which Kubernetes resource should be used?
Trap 1: RBAC Role
RBAC controls API access permissions.
Trap 2: PodSecurityPolicy
PSP is for security contexts, not network isolation.
Trap 3: ResourceQuota
ResourceQuota limits resource usage per namespace.
- A
NetworkPolicy
NetworkPolicy defines ingress/egress rules for pod communication.
- B
RBAC Role
Why wrong: RBAC controls API access permissions.
- C
PodSecurityPolicy
Why wrong: PSP is for security contexts, not network isolation.
- D
ResourceQuota
Why wrong: ResourceQuota limits resource usage per namespace.
Which THREE are key benefits of using a service mesh in a cloud-native architecture? (Choose 3)
Trap 1: Persistent storage management for stateful applications.
Storage is managed by CSI drivers and PersistentVolumes, not service mesh.
Trap 2: Automatic horizontal scaling of pods.
Scaling is handled by autoscalers, not service mesh.
- A
Persistent storage management for stateful applications.
Why wrong: Storage is managed by CSI drivers and PersistentVolumes, not service mesh.
- B
Mutual TLS (mTLS) encryption between services.
Service mesh can enforce mTLS for secure communication.
- C
Automatic horizontal scaling of pods.
Why wrong: Scaling is handled by autoscalers, not service mesh.
- D
Observability through distributed tracing and metrics.
Service mesh provides detailed telemetry for traffic.
- E
Traffic management such as canary deployments and circuit breaking.
Service mesh enables advanced traffic routing and resilience patterns.
Match each cloud native concept to its definition.
Drag a concept onto its matching description — or click a concept then click the description.
Lightweight, standalone executable package that includes everything needed
Architectural style that structures an app as a collection of loosely coupled services
Automated configuration, coordination, and management of containers
Approach where servers are never modified after deployment; replaced instead
Specifying the desired state, letting the system achieve and maintain it
A pod is running but you need to view the contents of a file '/var/log/app.log' inside the container to debug an issue. Which kubectl command allows you to do this without modifying the pod?
Trap 1: kubectl logs pod-name -c container-name --tail=100
This shows container logs, not arbitrary file contents.
Trap 2: kubectl cp pod-name:/var/log/app.log -
'kubectl cp' copies files but requires a local destination path.
Trap 3: kubectl attach pod-name
Attach connects to the container's stdin/stdout, not for viewing files.
- A
kubectl logs pod-name -c container-name --tail=100
Why wrong: This shows container logs, not arbitrary file contents.
- B
kubectl cp pod-name:/var/log/app.log -
Why wrong: 'kubectl cp' copies files but requires a local destination path.
- C
kubectl exec pod-name -- cat /var/log/app.log
Executes 'cat' inside the container to display the file.
- D
kubectl attach pod-name
Why wrong: Attach connects to the container's stdin/stdout, not for viewing files.
When using a Service of type ClusterIP, how do pods reach the service?
Trap 1: Via the node's IP address and a high port
NodePort services expose on node IP and high port, but ClusterIP is internal only.
Trap 2: Via an external load balancer
External load balancers are used with LoadBalancer services, not ClusterIP.
Trap 3: Directly via the pod's IP address
Pod IPs are ephemeral and not stable; services abstract away pod IPs.
- A
Via the service's cluster IP and port
Pods connect to the service's cluster IP and port, which kube-proxy forwards to healthy pods.
- B
Via the node's IP address and a high port
Why wrong: NodePort services expose on node IP and high port, but ClusterIP is internal only.
- C
Via an external load balancer
Why wrong: External load balancers are used with LoadBalancer services, not ClusterIP.
- D
Directly via the pod's IP address
Why wrong: Pod IPs are ephemeral and not stable; services abstract away pod IPs.
A Service of type ClusterIP is created for a Deployment, but Pods in other namespaces cannot reach it. What is the most likely cause?
Trap 1: NetworkPolicies are blocking cross-namespace traffic
While possible, the most likely cause is DNS naming.
Trap 2: The Service is not publishing the correct port
Port mismatch would cause connection failure, not DNS resolution issues across namespaces.
Trap 3: The Service selector does not match the Pod labels
If the selector didn't match, the Service wouldn't work within the namespace either.
- A
NetworkPolicies are blocking cross-namespace traffic
Why wrong: While possible, the most likely cause is DNS naming.
- B
The Pods in other namespaces are using the short Service name without the namespace suffix
Cross-namespace access requires the full DNS name including the namespace.
- C
The Service is not publishing the correct port
Why wrong: Port mismatch would cause connection failure, not DNS resolution issues across namespaces.
- D
The Service selector does not match the Pod labels
Why wrong: If the selector didn't match, the Service wouldn't work within the namespace either.
What is the primary purpose of a Kubernetes Service?
Trap 1: To manage rolling updates of Pods
Rolling updates are managed by Deployments.
Trap 2: To schedule Pods onto Nodes
Scheduling is done by the kube-scheduler, not a Service.
Trap 3: To store configuration data for Pods
Configuration data is stored in ConfigMaps or Secrets.
- A
To provide a stable network endpoint for a set of Pods
A Service enables other components to access Pods reliably, even as Pods change.
- B
To manage rolling updates of Pods
Why wrong: Rolling updates are managed by Deployments.
- C
To schedule Pods onto Nodes
Why wrong: Scheduling is done by the kube-scheduler, not a Service.
- D
To store configuration data for Pods
Why wrong: Configuration data is stored in ConfigMaps or Secrets.
You need to store a database password securely and make it available to a Pod as an environment variable. Which Kubernetes resource should you create?
Trap 1: PersistentVolume
PersistentVolumes provide storage, not a mechanism to expose data as environment variables.
Trap 2: ConfigMap
ConfigMaps are for non-sensitive configuration data, not for secrets.
Trap 3: ServiceAccount
ServiceAccounts provide identity for Pods, not storage of arbitrary secrets.
- A
Secret
Secrets store sensitive data like passwords, tokens, and keys.
- B
PersistentVolume
Why wrong: PersistentVolumes provide storage, not a mechanism to expose data as environment variables.
- C
ConfigMap
Why wrong: ConfigMaps are for non-sensitive configuration data, not for secrets.
- D
ServiceAccount
Why wrong: ServiceAccounts provide identity for Pods, not storage of arbitrary secrets.
Two pods, 'app-v1' and 'app-v2', both have a label 'app: myapp'. A Service 'my-service' has a selector 'app: myapp'. How many endpoints will the Service initially have?
Trap 1: 1
Both pods match, so there are two endpoints.
Trap 2: 0
Both pods match the selector, so there are endpoints.
Trap 3: Depends on pod readiness
While readiness affects traffic routing, the endpoint object includes all pods matching the selector, regardless of readiness (though readiness probes may remove them from service endpoints). The question asks 'initially', so assuming both are ready, 2 endpoints.
- A
2
Both pods have the label 'app: myapp', so both are selected and become endpoints.
- B
1
Why wrong: Both pods match, so there are two endpoints.
- C
0
Why wrong: Both pods match the selector, so there are endpoints.
- D
Depends on pod readiness
Why wrong: While readiness affects traffic routing, the endpoint object includes all pods matching the selector, regardless of readiness (though readiness probes may remove them from service endpoints). The question asks 'initially', so assuming both are ready, 2 endpoints.
Which kubectl command would you use to view the logs of a container named 'web' inside a Pod named 'app-12345'?
Trap 1: kubectl logs -p web app-12345
-p is for previous container logs, but the order is wrong.
Trap 2: kubectl logs app-12345 --container=web
This works, but the shorthand -c is more common. However, the question asks for the correct command; this is also correct but the best answer is -c. Nevertheless, we need to choose one. Option B is the most standard.
Trap 3: kubectl logs web app-12345
The syntax is kubectl logs <pod-name> [-c <container-name>].
- A
kubectl logs app-12345 -c web
Correct syntax: pod name first, then -c flag for container.
- B
kubectl logs -p web app-12345
Why wrong: -p is for previous container logs, but the order is wrong.
- C
kubectl logs app-12345 --container=web
Why wrong: This works, but the shorthand -c is more common. However, the question asks for the correct command; this is also correct but the best answer is -c. Nevertheless, we need to choose one. Option B is the most standard.
- D
kubectl logs web app-12345
Why wrong: The syntax is kubectl logs <pod-name> [-c <container-name>].
Which two of the following are valid ways to expose a Deployment externally to the internet? (Select TWO)
Trap 1: Create a Service of type ClusterIP
ClusterIP is only reachable within the cluster.
Trap 2: Create an Ingress resource
Ingress provides HTTP routing but does not expose a Service directly; it requires a Service of type NodePort or LoadBalancer to route traffic.
Trap 3: Create a Headless Service
Headless Services are for service discovery without a single VIP, not for external exposure.
- A
Create a Service of type ClusterIP
Why wrong: ClusterIP is only reachable within the cluster.
- B
Create an Ingress resource
Why wrong: Ingress provides HTTP routing but does not expose a Service directly; it requires a Service of type NodePort or LoadBalancer to route traffic.
- C
Create a Service of type LoadBalancer
LoadBalancer provisions an external load balancer and assigns a public IP.
- D
Create a Headless Service
Why wrong: Headless Services are for service discovery without a single VIP, not for external exposure.
- E
Create a Service of type NodePort
NodePort exposes the service on a static port on each Node's IP.
A Deployment is configured with 'replicas: 4' and 'strategy.type: RollingUpdate'. You update the container image. What behavior does the Deployment exhibit?
Trap 1: The Deployment creates 8 Pods total, 4 old and 4 new
The number of Pods does not double; the Deployment manages the transition.
Trap 2: All 4 Pods are deleted immediately and then 4 new Pods are created
That describes a Recreate strategy.
Trap 3: The update is paused until manually resumed
Pausing is a separate action; by default the update proceeds.
- A
The Deployment creates 8 Pods total, 4 old and 4 new
Why wrong: The number of Pods does not double; the Deployment manages the transition.
- B
All 4 Pods are deleted immediately and then 4 new Pods are created
Why wrong: That describes a Recreate strategy.
- C
New Pods are created before old ones are terminated, one at a time
RollingUpdate replaces Pods incrementally.
- D
The update is paused until manually resumed
Why wrong: Pausing is a separate action; by default the update proceeds.
Which component is responsible for running containers on a Kubernetes node?
Trap 1: kube-controller-manager
The controller manager runs controllers that handle routine tasks, but it does not directly run containers on nodes.
Trap 2: kube-proxy
kube-proxy handles network proxying and load balancing for Services, not container execution.
Trap 3: kube-apiserver
The API server is the front-end of the Kubernetes control plane and does not run containers.
- A
kube-controller-manager
Why wrong: The controller manager runs controllers that handle routine tasks, but it does not directly run containers on nodes.
- B
kube-proxy
Why wrong: kube-proxy handles network proxying and load balancing for Services, not container execution.
- C
kube-apiserver
Why wrong: The API server is the front-end of the Kubernetes control plane and does not run containers.
- D
kubelet
The kubelet runs on each node and manages pod lifecycles, including starting containers via the container runtime.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.