Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 175

997 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
MCQmedium

You have a ConfigMap named 'app-config' with key 'database.url'. Which environment variable reference in a Pod spec injects this value correctly?

A.env: - name: DATABASE_URL valueFrom: configMapKeyRef: name: app-config key: database.url
B.env: - name: DATABASE_URL value: "$(APP_CONFIG_DATABASE_URL)"
C.env: - name: DATABASE_URL valueFrom: secretKeyRef: name: app-config key: database.url
D.env: - name: DATABASE_URL valueFrom: configMapRef: name: app-config key: database.url
AnswerA

This correctly references the key 'database.url' from ConfigMap 'app-config'.

Why this answer

Option A is correct because it uses the `configMapKeyRef` field under `valueFrom` to reference a specific key (`database.url`) from the ConfigMap named `app-config`. This is the standard Kubernetes syntax for injecting a single key from a ConfigMap as an environment variable into a Pod.

Exam trap

The trap here is that candidates may confuse `configMapKeyRef` with `configMapRef` (which is used with `envFrom`, not `valueFrom`) or mistakenly use `secretKeyRef` for ConfigMaps, thinking the syntax is interchangeable.

How to eliminate wrong answers

Option B is wrong because `$(APP_CONFIG_DATABASE_URL)` is not a valid Kubernetes syntax for referencing ConfigMap values; it resembles a shell variable substitution, not a Kubernetes environment variable reference. Option C is wrong because it uses `secretKeyRef`, which is for referencing Secrets, not ConfigMaps; ConfigMaps must use `configMapKeyRef`. Option D is wrong because `configMapRef` is not a valid field under `valueFrom`; the correct field is `configMapKeyRef`.

2
MCQmedium

A team wants to manage their Kubernetes infrastructure using code. Which tool is specifically designed for Infrastructure as Code (IaC) and can manage Kubernetes resources?

A.Helm
B.kubectl
C.Kustomize
D.Terraform
AnswerD

Why this answer

Terraform is a dedicated Infrastructure as Code (IaC) tool that uses declarative configuration files (HCL) to provision and manage cloud resources, including Kubernetes clusters and their workloads. It maintains state to track resource dependencies and can orchestrate Kubernetes resources via its Kubernetes provider, making it the correct choice for managing Kubernetes infrastructure as code.

Exam trap

The trap here is that candidates confuse Helm or Kustomize as IaC tools because they manage Kubernetes resources declaratively, but they lack the infrastructure provisioning and state management capabilities that define true Infrastructure as Code.

How to eliminate wrong answers

Option A is wrong because Helm is a package manager for Kubernetes that deploys pre-packaged applications (charts) but is not an IaC tool; it manages releases and templates, not infrastructure state. Option B is wrong because kubectl is a command-line client for interacting with Kubernetes API directly, used for imperative or ad-hoc operations, not for declarative infrastructure provisioning or state management. Option C is wrong because Kustomize is a configuration customization tool that overlays patches on Kubernetes manifests without managing infrastructure state or provisioning resources outside of Kubernetes.

3
Multi-Selecthard

Which three of the following are true about Services in Kubernetes? (Select three.)

Select 3 answers
A.A Service provides a stable IP address for a set of pods
B.A Service can load balance traffic across multiple pods
C.A Service can be used for internal cluster traffic only using ClusterIP
D.A Service can store configuration data for applications
E.A Service can replace an Ingress for HTTP routing
AnswersA, B, C

Services have stable IPs and DNS names.

Why this answer

Services provide stable endpoints, load balance across pods, and support multiple types. They do not replace Ingress; Ingress provides HTTP routing. Services do not store configuration; ConfigMaps do.

4
MCQmedium

Which component on each worker node is responsible for ensuring that containers are running as specified in the Pod manifest?

A.kube-scheduler
B.container runtime
C.kubelet
D.kube-proxy
AnswerC

kubelet ensures containers are running per spec.

Why this answer

kubelet is the primary node agent that interacts with the container runtime to ensure containers are healthy and running.

5
MCQmedium

In the 12-factor app methodology, which factor describes the practice of storing configuration in environment variables?

A.Backing services
B.Config
C.Processes
D.Build, release, run
AnswerB

Config is Factor III.

Why this answer

The Config factor (Factor III) of the 12-factor app methodology mandates that configuration—such as database URLs, credentials, or feature flags—be stored in environment variables. This decouples configuration from code, allowing the same build to be deployed across different environments without code changes, and prevents accidental commits of secrets to version control.

Exam trap

CNCF often tests the distinction between 'Config' and 'Backing services'—candidates mistakenly think storing database credentials in environment variables is a 'Backing services' concern, but it is actually a 'Config' concern because the credentials are configuration, not the service itself.

How to eliminate wrong answers

Option A is wrong because 'Backing services' (Factor IV) treats attached services (databases, caches, message queues) as disposable resources accessed via URL or binding, not about storing configuration. Option C is wrong because 'Processes' (Factor VI) concerns stateless execution and sharing nothing between processes, not configuration storage. Option D is wrong because 'Build, release, run' (Factor V) describes the strict separation of build, release, and run stages to ensure immutability, not the mechanism for injecting configuration.

6
MCQmedium

In a service mesh architecture, which component is responsible for intercepting and managing traffic to and from a pod?

A.Sidecar proxy
B.Ingress controller
C.API gateway
D.Control plane
AnswerA

The sidecar proxy (e.g., Envoy) intercepts all traffic to and from the pod, providing service mesh capabilities.

Why this answer

The sidecar proxy (e.g., Envoy) runs alongside each service instance and intercepts all network traffic, enabling features like traffic management and observability.

7
MCQhard

When using OpenTelemetry, what is the role of the 'Collector'?

A.To alert on abnormal metrics
B.To store traces for long-term retention
C.To receive, process, and export telemetry data in a vendor-neutral way
D.To instrument application code manually
AnswerC

Correct. The Collector is a pipeline for telemetry data.

Why this answer

Option C is correct because the OpenTelemetry Collector is a vendor-agnostic proxy that receives telemetry data (traces, metrics, logs) from instrumented applications, processes it (e.g., batching, filtering, enrichment), and exports it to one or more backends (e.g., Jaeger, Prometheus, or any OTLP-compatible system). It decouples data generation from data storage, enabling flexible, scalable observability pipelines without vendor lock-in.

Exam trap

CNCF often tests the misconception that the Collector is a storage or alerting system, when in fact it is a stateless pipeline component that only receives, processes, and exports telemetry data.

How to eliminate wrong answers

Option A is wrong because alerting on abnormal metrics is the responsibility of monitoring systems like Prometheus with Alertmanager, not the OpenTelemetry Collector, which focuses on data ingestion, processing, and export. Option B is wrong because long-term storage of traces is handled by backend systems (e.g., Jaeger, Tempo) or databases; the Collector is a pipeline component that forwards data, not a persistent store. Option D is wrong because manual instrumentation of application code is done using OpenTelemetry SDKs and APIs (e.g., for traces, metrics), while the Collector operates as a separate infrastructure component that receives already-instrumented telemetry.

8
MCQeasy

Which command is used to rollback a Helm release to a previous revision?

A.helm history <release-name>
B.helm rollback <release-name> <revision>
C.helm install <release-name>
D.helm upgrade <release-name>
AnswerB

Why this answer

The `helm rollback` command rolls back a release to a specified revision. Option A is correct. Option B (helm upgrade) upgrades to a new version.

Option C (helm history) shows revision history. Option D (helm install) installs a new release.

9
MCQeasy

Which component runs on every node and is responsible for ensuring that containers are running as specified in Pod manifests?

A.kubelet
B.kube-proxy
C.container runtime
D.kube-controller-manager
AnswerA

kubelet is the agent that runs on each node and manages Pods and their containers.

Why this answer

The kubelet is the primary node agent that runs on every node in a Kubernetes cluster. It is responsible for ensuring that containers described in Pod manifests (typically provided via the API server) are running and healthy. The kubelet does not manage containers directly; instead, it interacts with the container runtime (e.g., containerd, CRI-O) to create, start, and stop containers as specified.

Exam trap

The trap here is that candidates confuse the container runtime (which actually runs containers) with the kubelet (which ensures the desired state from Pod manifests), leading them to pick 'container runtime' instead of 'kubelet'.

How to eliminate wrong answers

Option B is wrong because kube-proxy is a network proxy that runs on each node, handling network rules and forwarding traffic for Services, not managing container lifecycle. Option C is wrong because the container runtime (e.g., containerd, CRI-O) is the software that actually runs containers, but it is not responsible for reconciling Pod manifests or ensuring desired state — that is the kubelet's job. Option D is wrong because kube-controller-manager runs as a control plane component (not on every node) and manages controllers like ReplicaSet and Node Controller, but does not directly interact with containers on individual nodes.

10
Multi-Selecthard

A pod is stuck in Pending state. Which THREE of the following are possible causes?

Select 3 answers
A.The pod specifies a nodeSelector that does not match any node
B.The container image does not exist
C.No node has enough CPU or memory to satisfy the pod's resource requests
D.The pod has a liveness probe that is failing
E.A PersistentVolumeClaim used by the pod is not bound
AnswersA, C, E

If no nodes have the required labels, the pod cannot be scheduled.

Why this answer

A pod enters a Pending state when it cannot be scheduled onto a node. A `nodeSelector` constraint requires the node to have specific labels; if no node matches, the scheduler cannot place the pod, leaving it Pending. This is a common scheduling failure cause.

Exam trap

CNCF often tests the distinction between scheduling failures (Pending) and runtime failures (CrashLoopBackOff, ImagePullBackOff), so candidates mistakenly attribute image or probe issues to the Pending state.

11
MCQmedium

You need to expose a set of pods running in the 'dev' namespace internally within the cluster on a stable IP. All pods have the label 'app: web'. Which kubectl command should you use?

A.kubectl expose deployment web --port=80 --target-port=8080 --name=web-service -n dev
B.kubectl create service clusterip web --tcp=80:8080 -n dev
C.kubectl run web --image=nginx --port=80 -n dev
D.kubectl expose pod web --port=80 --target-port=8080 --name=web-service -n dev
AnswerA

If the pods are managed by a Deployment named 'web', this creates a Service that targets the pods.

Why this answer

Option A is correct because it exposes the existing deployment named 'web' (which manages pods with label 'app: web') as a ClusterIP service, providing a stable internal IP and DNS name within the cluster. The `--port=80` sets the service port, and `--target-port=8080` maps to the container port, ensuring traffic reaches the pods correctly in the 'dev' namespace.

Exam trap

CNCF often tests the distinction between exposing a deployment (which uses a label selector for all pods) versus exposing a specific pod (which targets only that pod by name), leading candidates to choose Option D incorrectly.

How to eliminate wrong answers

Option B is wrong because `kubectl create service clusterip` requires a selector to match the pods, but the command does not specify `--clusterip` or a selector; it creates a service with no endpoints, leaving it non-functional. Option C is wrong because `kubectl run` creates a deployment or pod, not a service; it does not expose anything on a stable IP. Option D is wrong because `kubectl expose pod` targets a specific pod by name, not a set of pods with a label selector; it would expose only that single pod, not the entire set, and the pod name 'web' likely does not exist.

12
MCQeasy

Which of the following is a key benefit of container orchestration compared to running containers manually?

A.Containers use less memory
B.Automatic scaling and self-healing
C.Orchestration eliminates the need for container images
D.Containers run faster when orchestrated
AnswerB

Orchestration platforms like Kubernetes provide automatic scaling and self-healing capabilities.

Why this answer

Container orchestration provides automated scaling, self-healing, and declarative management, which are not available when running containers manually.

13
MCQhard

You apply the following YAML: apiVersion: apps/v1 kind: Deployment metadata: name: web-deploy spec: replicas: 3 selector: matchLabels: app: web template: metadata: labels: app: web spec: containers: - name: nginx image: nginx:1.21 But the Deployment never creates any Pods. Which field is missing or incorrect?

A.The field 'spec.selector' is missing, which is required for Deployment
B.The 'replicas' field is set to 0
C.The 'containers' field is misspelled as 'container'
D.The 'apiVersion' should be 'v1'
AnswerA

Deployments require a 'selector' field to know which Pods to manage.

Why this answer

The Deployment YAML is syntactically correct and valid, but it will never create Pods because the `spec.selector` field is missing. In Kubernetes, a Deployment requires a `spec.selector` to identify which Pods it manages; without it, the Deployment controller cannot match the Pod template to a ReplicaSet, so no Pods are created. The provided YAML has `selector` under `spec`, but it is not the required `spec.selector` — the field is present but incorrectly placed or missing entirely in the context of the Deployment spec.

Exam trap

CNCF often tests the misconception that the `selector` field is optional or that the `template.metadata.labels` alone suffice, but the `spec.selector` is mandatory and must match the template labels for the Deployment to function.

How to eliminate wrong answers

Option B is wrong because the `replicas` field is set to 3, not 0, so this is not the cause of the issue. Option C is wrong because the `containers` field is correctly spelled as `containers` in the YAML, not misspelled as `container`. Option D is wrong because `apiVersion: apps/v1` is the correct version for a Deployment in modern Kubernetes (v1.16+), and using `v1` would be incorrect as it does not support Deployments.

14
MCQmedium

You need to run a stateless web application with three replicas, and you want to ensure that if a pod fails, it is automatically replaced. Which Kubernetes resource should you use?

A.DaemonSet
B.Job
C.StatefulSet
D.Deployment
AnswerD

Deployment creates a ReplicaSet to maintain the desired number of pod replicas and supports rolling updates.

Why this answer

A Deployment manages ReplicaSets and provides declarative updates, including self-healing by recreating failed pods. A DaemonSet runs a pod on each node, a Job runs a batch task, and a StatefulSet is for stateful applications.

15
Multi-Selecthard

Which THREE are valid container runtimes that implement the Kubernetes CRI? (Choose three.)

Select 3 answers
A.Docker (via dockershim, deprecated)
B.containerd
C.runc
D.CRI-O
E.rkt
AnswersA, B, D

Docker used dockershim to implement CRI, now deprecated.

Why this answer

containerd, CRI-O, and Docker (via dockershim, deprecated) implement CRI. rkt is discontinued and not CRI-compliant; runc is a low-level runtime, not a CRI implementation.

16
Multi-Selectmedium

Which TWO of the following are valid PromQL functions? (Select two.)

Select 2 answers
A.topk()
B.histogram_quantile()
C.rate()
D.avg()
E.sum()
AnswersB, C

histogram_quantile() calculates quantiles from histogram metrics.

Why this answer

rate() and histogram_quantile() are common PromQL functions. avg_over_time() is also valid but avg is not a function, it's an aggregation operator.

17
MCQmedium

A developer wants to view the logs of a specific container named 'sidecar' in a pod called 'web-app'. Which command should they use?

A.kubectl logs sidecar --pod web-app
B.kubectl logs -c sidecar web-app
C.kubectl logs sidecar web-app
D.kubectl logs web-app -c sidecar
AnswerD

Correct. -c specifies the container.

Why this answer

The -c flag specifies the container name when a pod has multiple containers.

18
MCQhard

In the context of the 12-factor app methodology, which factor is addressed by storing configuration in environment variables?

A.IV. Backing Services
B.III. Config
C.II. Dependencies
D.I. Codebase
AnswerB

Config specifies storing configuration in environment variables.

Why this answer

The 12-factor app's 'Config' factor (III) states that configuration should be stored in environment variables, not in code. Options A, B, and D correspond to other factors: Codebase, Dependencies, and Backing Services respectively.

19
MCQmedium

Which component in a service mesh architecture is responsible for handling inter-service communication on behalf of the application container?

A.Sidecar proxy
B.Control plane
C.Ingress controller
D.API gateway
AnswerA

The sidecar proxy runs alongside the application container and handles all network communication.

Why this answer

The sidecar proxy (e.g., Envoy) intercepts all network traffic to and from the application container, providing observability, traffic management, and security.

20
MCQmedium

Which kubectl command would you use to view the logs of a specific container named 'app' in a multi-container Pod named 'web-pod'?

A.kubectl log web-pod container app
B.kubectl logs web-pod app
C.kubectl logs web-pod -c app
D.kubectl logs app web-pod
AnswerC

The -c flag specifies the container name in a multi-container Pod.

Why this answer

Option C is correct because the `kubectl logs` command uses the `-c` flag to specify a container name within a multi-container Pod. The correct syntax is `kubectl logs <pod-name> -c <container-name>`, which targets the 'app' container inside 'web-pod'.

Exam trap

The trap here is that candidates often forget the `-c` flag and assume `kubectl logs web-pod app` works by positional arguments, but Kubernetes requires the explicit `-c` flag for multi-container Pods.

How to eliminate wrong answers

Option A is wrong because `kubectl log` is not a valid command; the correct verb is `logs`. Option B is wrong because it omits the `-c` flag, which is required to specify a container in a multi-container Pod; without it, `kubectl logs` defaults to the first container or fails if multiple containers exist. Option D is wrong because the argument order is reversed; the pod name must come first, followed by the `-c` flag and container name.

21
MCQeasy

What is the role of the kubelet on a worker node?

A.It ensures containers are running in a Pod as specified
B.It stores cluster state
C.It manages network rules for Services
D.It runs the container runtime
AnswerA

kubelet receives Pod specifications and works with the container runtime to maintain them.

Why this answer

kubelet is the primary node agent that ensures containers are running and healthy according to Pod specifications.

22
MCQmedium

In a service mesh architecture, what is the role of the sidecar proxy?

A.It provides persistent storage for the pod
B.It manages the lifecycle of the pod
C.It intercepts and controls network communication to and from the main container
D.It serves as the main application container
AnswerC

The sidecar proxy handles traffic routing, telemetry, and security policies.

Why this answer

The sidecar proxy intercepts all network traffic to/from the main container, enabling observability, traffic management, and security without modifying application code.

23
MCQhard

An administrator wants to ensure that a specific pod only runs on nodes that have solid-state drives (SSDs). Nodes with SSDs are labeled with 'disktype=ssd'. Which pod specification field should be used?

A.nodeSelector
B.container resource limits
C.tolerations
D.nodeAffinity
AnswerA

nodeSelector directly matches node labels and is the simplest approach for this requirement.

Why this answer

The `nodeSelector` field in a Pod spec is the simplest and most direct way to constrain a Pod to nodes with specific labels. By setting `nodeSelector: { disktype: ssd }`, the scheduler will only place the Pod on nodes that have the label `disktype=ssd`, which matches the administrator's requirement exactly. This field is a hard constraint that does not support complex expressions, but it is ideal for straightforward label-based node selection.

Exam trap

The trap here is that candidates often confuse `nodeSelector` with `nodeAffinity` and choose `nodeAffinity` because it sounds more powerful, but the question explicitly asks for the field that ensures a specific pod only runs on nodes with SSDs, and `nodeSelector` is the correct, minimal field for a simple label match.

How to eliminate wrong answers

Option B is wrong because container resource limits (e.g., `resources.limits.cpu` and `resources.limits.memory`) control how much CPU and memory a container can consume, not where the Pod is scheduled. Option C is wrong because tolerations are used to allow Pods to schedule on nodes with taints, not to select nodes based on labels; tolerations enable scheduling on tainted nodes but do not actively select nodes by label. Option D is wrong because `nodeAffinity` is a more advanced feature that supports complex label matching (e.g., `requiredDuringSchedulingIgnoredDuringExecution` with `matchExpressions`), but the question asks for the field that should be used, and `nodeSelector` is the simplest and most appropriate for a single label match like `disktype=ssd`.

24
MCQeasy

Which Prometheus metric type is used to represent a value that can increase or decrease over time, such as memory usage?

A.Gauge
B.Histogram
C.Summary
D.Counter
AnswerA

A gauge can increase or decrease.

Why this answer

A gauge is a metric that can go up and down, like memory usage or temperature.

25
Multi-Selecthard

Which THREE of the following are components of the OpenTelemetry project?

Select 3 answers
A.Prometheus
B.Collector
C.Specification
D.Jaeger
E.SDKs (Software Development Kits)
AnswersB, C, E

A vendor-agnostic telemetry pipeline.

Why this answer

OpenTelemetry includes specification, SDKs, Collector, and instrumentations. Prometheus and Jaeger are separate projects.

26
MCQmedium

In the context of DORA metrics, which metric measures how often an organization successfully releases to production?

A.Lead time for changes
B.Deployment frequency
C.Mean time to restore (MTTR)
D.Change failure rate
AnswerB

Deployment frequency measures how often deployments occur.

Why this answer

Deployment frequency is a DORA metric that measures how often an organization deploys code to production or an operational environment.

27
MCQmedium

Which Kubernetes object provides stable network endpoints and load balancing for a set of Pods?

A.NetworkPolicy
B.Deployment
C.Ingress
D.Service
AnswerD

Services provide stable endpoints and load balancing.

Why this answer

A Service provides a stable IP and DNS name, and distributes traffic across Pods matching its selector.

28
Multi-Selectmedium

Which TWO of the following are benefits of using a container orchestration platform like Kubernetes? (Select 2)

Select 2 answers
A.Single-node deployment for simplicity
B.Manual scaling of applications
C.Automated scaling based on demand
D.Elimination of all application bugs
E.High availability through automated failover
AnswersC, E

Horizontal Pod Autoscaler scales replicas automatically.

Why this answer

Option C is correct because Kubernetes includes a Horizontal Pod Autoscaler (HPA) that automatically adjusts the number of pod replicas based on observed CPU, memory, or custom metrics. This enables applications to scale out during traffic spikes and scale in during low demand, improving resource utilization and responsiveness without manual intervention.

Exam trap

CNCF often tests the distinction between 'benefits' and 'basic features'—candidates may incorrectly select manual scaling (B) as a benefit, but the exam expects you to recognize that automation (C) and high availability (E) are the true advantages of orchestration platforms.

29
MCQmedium

During a canary deployment using Argo Rollouts, how does the tool determine the success of the canary before promoting it?

A.By checking the rollout's status field in the YAML
B.By requiring manual approval via a webhook
C.By comparing the ReplicaSet's age to a threshold
D.By analyzing predefined metrics (e.g., error rate) via an AnalysisTemplate
AnswerD

AnalysisTemplate runs metric queries and determines success/failure.

Why this answer

Argo Rollouts uses metrics from a service mesh or monitoring to analyze the canary's health and decide whether to proceed.

30
Multi-Selecteasy

Which TWO of the following are benefits of using containers over virtual machines? (Choose 2)

Select 2 answers
A.Containers are more lightweight and start faster than VMs
B.Containers require hypervisor software to run
C.Containers include a full guest operating system
D.Containers are portable across different environments
E.Containers provide stronger isolation than VMs
AnswersA, D

Containers share the host OS kernel and do not need to boot an OS, so they start in seconds.

Why this answer

Containers share the host OS kernel and run as isolated processes, making them lightweight and able to start in milliseconds, unlike VMs which require booting a full guest OS. This efficiency stems from container images being mere megabytes compared to gigabytes for VM images, and containers using cgroups and namespaces for resource management rather than a hypervisor.

Exam trap

The trap here is that candidates confuse container isolation with VM isolation, assuming containers are more secure, when in fact VMs provide stronger isolation due to hardware virtualization, and CNCF often tests this distinction by offering 'stronger isolation' as a distractor.

31
Multi-Selecthard

Which THREE of the following are key principles of cloud-native architecture according to CNCF?

Select 3 answers
A.Dynamic orchestration
B.Serverless
C.Agile development
D.Microservices
E.Containers
AnswersA, D, E

Automated management is key.

Why this answer

The CNCF defines cloud-native technologies as those that use microservices, containers, and dynamic orchestration. Serverless is an approach but not a core principle; agile development is a methodology, not unique to cloud-native.

32
MCQmedium

Your organization runs a multi-service application on a Kubernetes cluster. Each service is deployed as a set of Pods managed by a Deployment. The application experiences intermittent slowdowns during peak traffic. Monitoring shows that the database service Pods have high CPU usage, but the HorizontalPodAutoscaler (HPA) configured for the database Deployment does not scale. The HPA is based on average CPU utilization across Pods, with target 70%. The database Deployment has resource requests and limits set: requests.cpu: 500m, limits.cpu: 1000m. During peak, CPU usage reaches 800m per Pod. The HPA has a cooldown period of 3 minutes. The cluster has ample capacity. What is the most likely reason the HPA is not scaling?

A.The HPA is configured to use a different metric (e.g., memory) instead of CPU.
B.The HPA cooldown period of 3 minutes prevents scaling during the short peak duration.
C.The CPU limit of 1000m restricts the Pods from using more than 1000m, but the HPA bases scaling on requests, not limits.
D.The cluster does not have enough nodes to schedule additional Pods.
AnswerA

If the HPA is mistakenly using memory metric, it would not scale based on CPU spikes.

Why this answer

Option A is correct because the scenario states that CPU usage reaches 800m per Pod, which is 160% of the requested 500m, well above the HPA's 70% target. If the HPA were correctly configured for CPU, it would have triggered scaling. The fact that it does not scale despite high CPU usage indicates the HPA is likely configured to use a different metric (e.g., memory or custom metrics), not CPU.

This mismatch between the metric the HPA monitors and the actual resource bottleneck prevents scaling.

Exam trap

The trap here is that candidates assume the HPA is always configured for CPU by default, but the KCNA exam tests whether you recognize that an HPA can be configured for any metric, and a mismatch between the monitored metric and the actual bottleneck will prevent scaling.

How to eliminate wrong answers

Option B is wrong because the cooldown period of 3 minutes only delays scaling actions, it does not prevent scaling entirely; if CPU usage remains high for longer than 3 minutes, the HPA would still scale. Option C is wrong because the HPA bases its scaling decision on the average CPU utilization relative to the resource request (500m), not the limit (1000m); with 800m usage, utilization is 160% of the request, which should trigger scaling. Option D is wrong because the cluster has ample capacity, as stated in the question, so insufficient nodes are not the issue.

33
MCQeasy

What is the primary purpose of Kubernetes?

A.To provide a graphical interface for managing containers
B.To replace virtual machines with containers
C.To compile container images from source code
D.To orchestrate containers across a cluster of machines
AnswerD

This is the core purpose of Kubernetes.

Why this answer

Kubernetes is a container orchestration platform that automates deployment, scaling, and management of containerized applications.

34
MCQeasy

Which of the following best describes the purpose of the Cloud Native Computing Foundation (CNCF)?

A.To promote cloud native technologies and host open source projects
B.To define the 12-factor app methodology
C.To provide cloud infrastructure services for enterprises
D.To develop and maintain the Kubernetes project exclusively
AnswerA

CNCF hosts projects, drives adoption, and fosters community.

Why this answer

The CNCF's primary purpose is to foster the adoption of cloud native technologies by hosting and governing open source projects like Kubernetes, Prometheus, and Envoy. It provides a neutral home for these projects, ensuring they are developed collaboratively under a vendor-neutral governance model. This aligns directly with option A, which captures both the promotional and hosting roles of the foundation.

Exam trap

CNCF often tests the misconception that the CNCF is synonymous with Kubernetes alone, but the trap here is that the CNCF's scope includes a wide ecosystem of cloud native projects, not just Kubernetes.

How to eliminate wrong answers

Option B is wrong because the 12-factor app methodology was defined by Heroku engineers in 2011, not by the CNCF, and while the CNCF promotes cloud native patterns, it did not create that specific methodology. Option C is wrong because the CNCF does not provide cloud infrastructure services (e.g., compute, storage, networking) — that is the role of cloud providers like AWS, Azure, or GCP; the CNCF is a foundation that hosts projects, not a service provider. Option D is wrong because while the CNCF hosts Kubernetes, it also hosts dozens of other projects (e.g., Prometheus, Fluentd, Linkerd) and is not exclusive to Kubernetes; its mission is broader than any single project.

35
MCQmedium

A Kubernetes cluster has a Service named 'my-svc' in the 'default' namespace. Which command would correctly expose this service as an external endpoint using a cloud load balancer?

A.kubectl expose deployment my-svc --type=LoadBalancer --name=my-svc-lb
B.kubectl expose service my-svc --name=my-svc-lb
C.kubectl expose service my-svc --port=80 --target-port=8080
D.kubectl expose service my-svc --type=LoadBalancer --name=my-svc-lb
AnswerD

Correctly creates a new LoadBalancer service based on the existing service.

Why this answer

The correct command to expose a service with a LoadBalancer type is 'kubectl expose service my-svc --type=LoadBalancer --name=my-svc-lb'. Option A incorrectly uses 'deployment' instead of 'service'; Option B is correct; Option C doesn't specify the type, defaulting to ClusterIP; Option D uses '--port' as a flag but missing '--type' and uses incorrect syntax.

36
MCQmedium

Which command would you use to view the logs of a container named 'web' in a pod named 'frontend' running in the 'production' namespace?

A.kubectl logs -c web frontend --namespace production
B.kubectl logs frontend -c web -n production
C.kubectl logs frontend -n production container web
D.kubectl logs frontend web --namespace production
AnswerB

Correct syntax: kubectl logs <pod> -c <container> -n <namespace>.

Why this answer

Option B is correct because the `kubectl logs` command requires the pod name as the first positional argument, and the `-c` flag specifies the container name when a pod has multiple containers. The `-n` flag sets the namespace. The correct syntax is `kubectl logs <pod-name> -c <container-name> -n <namespace>`, which matches option B exactly.

Exam trap

CNCF often tests the correct ordering of flags and positional arguments in `kubectl` commands, specifically that the `-c` container flag must come after the pod name, not before, and that omitting it when a pod has multiple containers will not target the intended container.

How to eliminate wrong answers

Option A is wrong because it places the `-c web` flag before the pod name, which is syntactically incorrect; the `-c` flag must follow the pod name. Option C is wrong because it uses an invalid positional argument 'container' after the pod name; `kubectl logs` does not accept a literal 'container' keyword. Option D is wrong because it omits the `-c` flag entirely, so it would attempt to view logs from the pod's default container (or fail if the pod has multiple containers and no default is defined), not specifically from the container named 'web'.

37
Multi-Selectmedium

Which TWO of the following are valid ways to expose a Deployment as a Service?

Select 2 answers
A.Run 'kubectl expose deployment my-deployment --port=80 --target-port=8080'
B.Edit the Deployment and set 'spec.serviceName'
C.Run 'kubectl run my-deployment --image=nginx --expose'
D.Add a 'service' section to the Deployment's YAML manifest
E.Create a Service YAML with a selector matching the Deployment's pod labels
AnswersA, E

This command creates a Service based on the Deployment's pod labels.

Why this answer

You can create a Service that selects pods by their labels. Using 'kubectl expose deployment' creates a Service from a Deployment. Writing a Service YAML manifest and applying it also works.

Editing the Deployment's spec does not create a Service, and 'kubectl run' with --expose creates a pod and service, but not from an existing Deployment.

38
MCQhard

You have a Deployment that uses a ConfigMap for configuration. You update the ConfigMap with new data. However, the pods in the Deployment continue to use the old configuration. What is the most likely reason?

A.The ConfigMap data is immutable and cannot be updated
B.The ConfigMap is referenced by a different name in the pod spec
C.The ConfigMap is mounted as a volume, and the pods have not been restarted
D.The Deployment's update strategy is set to Recreate
AnswerC

When a ConfigMap is mounted as a volume, the files are updated eventually, but the application may not automatically reload the configuration. For environment variables, the pod must be restarted. In either case, without a restart, the old configuration is used.

Why this answer

When a ConfigMap is mounted as a volume in a Pod, updates to the ConfigMap are automatically propagated to the mounted files, but the running process inside the container does not automatically reload the configuration. The Pod must be restarted (e.g., by rolling update or manual deletion) for the application to read the new values. This is the most common reason for stale configuration in a Deployment.

Exam trap

CNCF often tests the misconception that updating a ConfigMap automatically updates running Pods, when in fact the Pod must be restarted (or the application must watch for file changes) for the new configuration to take effect.

How to eliminate wrong answers

Option A is wrong because ConfigMaps are not immutable by default; they can be updated unless the `immutable` field is explicitly set to `true`. Option B is wrong because if the ConfigMap were referenced by a different name, the Pod would fail to start or mount, not silently use old data. Option D is wrong because the `Recreate` update strategy would terminate all Pods and create new ones, which would pick up the updated ConfigMap; it does not cause stale configuration.

39
MCQmedium

In an event-driven architecture, what is the role of an event broker?

A.To intermediate between event producers and consumers
B.To run event-processing logic
C.To transform events into API calls
D.To store event schemas
AnswerA

The broker ensures reliable delivery and routing.

Why this answer

In an event-driven architecture, the event broker acts as a middleware that decouples event producers from consumers by receiving events from producers and forwarding them to interested consumers. This intermediary role ensures asynchronous communication, scalability, and fault tolerance without requiring producers and consumers to be directly aware of each other. Technologies like Apache Kafka, RabbitMQ, or cloud-native services such as AWS EventBridge exemplify this pattern.

Exam trap

CNCF often tests the misconception that the event broker performs processing or transformation, but its core role is purely intermediary—routing events without executing business logic.

How to eliminate wrong answers

Option B is wrong because running event-processing logic is the responsibility of event processors or stream processing frameworks (e.g., Apache Flink, Kafka Streams), not the event broker, which focuses on routing and delivery. Option C is wrong because transforming events into API calls is a function of an API gateway or integration layer, not the event broker; brokers handle event transport, not protocol translation. Option D is wrong because storing event schemas is typically managed by a schema registry (e.g., Confluent Schema Registry) that works alongside the broker, but the broker itself does not store schemas—it stores and forwards event data.

40
MCQhard

What is the main advantage of using OpenTelemetry over vendor-specific instrumentation libraries?

A.It provides a single, vendor-agnostic instrumentation standard
B.It eliminates the need for logging
C.It automatically reduces latency
D.It is the only tool that supports traces
AnswerA

OpenTelemetry is an open standard that works with multiple backends.

Why this answer

OpenTelemetry provides a unified standard that avoids vendor lock-in, allowing data to be sent to any backend.

41
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete the namespace and redeploy all workloads
B.Increase the memory limit in the pod's container resource specification
C.Delete and recreate the pod to clear the crash loop
D.Increase the CPU request for the container
AnswerB

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

42
Multi-Selecthard

Which THREE of the following are benefits of using a service mesh? (Choose 3.)

Select 3 answers
A.Database management
B.Security
C.Observability
D.Code compilation
E.Traffic management
AnswersB, C, E

Why this answer

A service mesh, such as Istio or Linkerd, offloads cross-cutting concerns from application code into a dedicated infrastructure layer. Security is a core benefit because the service mesh can enforce mutual TLS (mTLS) between all service-to-service communications, providing encryption, identity verification, and fine-grained access policies without modifying application code.

Exam trap

CNCF often tests the misconception that a service mesh is a general-purpose tool for all infrastructure concerns, leading candidates to incorrectly select options like database management or code compilation, when in fact the service mesh is narrowly focused on network-level traffic management, security, and observability.

43
MCQhard

A Kubernetes cluster is experiencing network latency. The team suspects that the number of services and endpoints is causing iptables performance degradation. Which CNI plugin or network policy approach is most likely to improve performance?

A.Switch to Flannel with host-gw backend
B.Use Calico with iptables mode
C.Use an eBPF-based CNI plugin like Cilium
D.Apply a default-deny NetworkPolicy
AnswerC

eBPF bypasses iptables, reducing latency and improving scalability.

Why this answer

C is correct because eBPF-based CNI plugins like Cilium bypass the traditional iptables chains entirely, using a kernel-level BPF (Berkeley Packet Filter) program to handle service load balancing and network policy enforcement. This eliminates the O(n) scaling issue of iptables rules with the number of services and endpoints, significantly reducing latency in large clusters.

Exam trap

The trap here is that candidates often assume any CNI change or network policy adjustment can fix iptables performance, but only eBPF-based solutions fundamentally change the data path to avoid iptables scaling limitations.

How to eliminate wrong answers

Option A is wrong because Flannel with host-gw backend only improves pod-to-pod routing by using direct host routes, but it does not address iptables performance degradation for service load balancing; Flannel still relies on iptables or IPVS for Service ClusterIP forwarding. Option B is wrong because Calico with iptables mode uses the same iptables data path that is already causing performance issues; it would not improve latency and may even worsen it with additional policy rules. Option D is wrong because applying a default-deny NetworkPolicy adds more iptables rules to enforce isolation, which increases the rule count and further degrades iptables performance, the opposite of what is needed.

44
MCQmedium

A team wants to implement Infrastructure as Code (IaC) for managing Kubernetes resources. Which tool is BEST suited for this purpose?

A.Pulumi
B.Ansible
C.Terraform
D.Helm
AnswerD

Helm is a package manager for Kubernetes that uses charts to manage applications.

Why this answer

Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications using charts. Terraform and Pulumi are IaC tools for infrastructure, but for Kubernetes-specific resources, Helm is more directly focused. Ansible can also manage Kubernetes but is not as specialized.

45
Multi-Selectmedium

Which two components are part of the Kubernetes control plane? (Select TWO.)

Select 2 answers
A.kube-apiserver
B.container runtime
C.kube-proxy
D.kubelet
E.etcd
AnswersA, E

API server is a control plane component.

Why this answer

The Kubernetes control plane manages the cluster and makes global decisions. kube-apiserver is the front-end for the control plane, exposing the Kubernetes API for all interactions. etcd is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data, making it a core control plane component.

Exam trap

CNCF often tests the distinction between control plane and worker node components, and the trap here is that candidates confuse kubelet or kube-proxy (which run on every node) with control plane components because they are essential to cluster operation but are not part of the control plane itself.

46
MCQhard

You have a Pod that needs to run a one-time batch job to completion. Which resource type should you use?

A.Job
B.StatefulSet
C.DaemonSet
D.Deployment
AnswerA

Jobs run Pods to completion.

Why this answer

A Job resource is designed for running a finite task to completion, such as a batch job or a one-time computation. Unlike controllers that maintain a desired number of replicas indefinitely, a Job creates one or more Pods and tracks their successful termination. Once the specified number of completions is reached, the Job is considered finished and no further Pods are created.

Exam trap

The trap here is that candidates often confuse a Job with a Deployment, thinking that any workload that runs a container should use a Deployment, but Deployments are designed for long-running services, not ephemeral batch tasks.

How to eliminate wrong answers

Option B (StatefulSet) is wrong because StatefulSets are used for stateful applications that require stable, unique network identities and persistent storage, not for one-time batch jobs. Option C (DaemonSet) is wrong because DaemonSets ensure that a copy of a Pod runs on every (or selected) node in the cluster, typically for daemon-like services such as logging or monitoring, not for tasks that run to completion. Option D (Deployment) is wrong because Deployments manage a set of identical Pods with a desired replica count, ensuring they are always running and self-healing, which is the opposite of a one-time batch job that should terminate upon success.

47
Multi-Selecthard

Which THREE of the following are features of Helm that facilitate release management? (Choose three.)

Select 3 answers
A.Canary deployment strategy
B.Rollback to a previous release revision
C.Release history and revision tracking
D.Horizontal pod autoscaling
E.Upgrade a release with new values
AnswersB, C, E

Helm supports rollback with 'helm rollback'.

Why this answer

Helm provides rollback to previous revisions, stores release history, and upgrades releases while preserving history. It does not natively do canary deployments or autoscaling.

48
MCQeasy

Which Prometheus metric type is best suited for counting the total number of HTTP requests received by a service?

A.Summary
B.Counter
C.Gauge
D.Histogram
AnswerB

Correct. A counter is cumulative and only increases, perfect for counting total requests.

Why this answer

A counter is a cumulative metric that only increases (or resets to zero). It is ideal for counting events like HTTP requests.

49
MCQeasy

Which of the following is a worker node component responsible for ensuring that containers are running in a pod as specified in the pod's spec?

A.kube-scheduler
B.kube-proxy
C.kubelet
D.etcd
AnswerC

The kubelet ensures that containers are running in a pod as specified.

Why this answer

The kubelet is the primary node agent that runs on each worker node. It receives PodSpecs (via the API server or a file) and ensures that the containers described in those PodSpecs are running and healthy. It does this by interacting with the container runtime (e.g., containerd or CRI-O) to start, stop, and monitor containers as required.

Exam trap

CNCF often tests the distinction between control plane components (scheduler, etcd) and worker node agents (kubelet, kube-proxy), and the trap here is confusing the kubelet's role of running containers with the kube-scheduler's role of placing pods onto nodes.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is a control plane component responsible for assigning pods to nodes based on resource requirements and constraints, not for running containers on a node. Option B is wrong because kube-proxy is a network proxy that runs on each node, handling network rules (e.g., iptables or IPVS) for service abstraction and pod-to-service communication, not container lifecycle management. Option D is wrong because etcd is a distributed key-value store used as Kubernetes' backing store for all cluster data, not a node-level component that manages containers.

50
MCQhard

An organization uses Flux with Kustomize to manage their Kubernetes applications. They want to automatically update their deployment when a new container image is pushed to the registry. Which Flux component should they use?

A.Source Controller
B.Image Automation Controller
C.Helm Controller
D.Kustomize Controller
AnswerB

This controller watches for new images and updates the Git repository with the new tag, triggering a reconciliation.

Why this answer

Flux's Image Automation Controller automates updates based on image policies. It can update manifests in Git when a new image tag is found, triggering a sync.

51
MCQmedium

You need to run a batch job that processes a queue and then terminates. Which Kubernetes resource should you use?

A.Deployment
B.DaemonSet
C.StatefulSet
D.Job
AnswerD

Jobs ensure a specified number of Pods successfully terminate, ideal for batch processing.

Why this answer

A Job is the correct Kubernetes resource for running a batch process that executes a finite task (e.g., processing a queue) and then terminates. Unlike controllers that maintain a desired state indefinitely, a Job creates one or more Pods and ensures they run to successful completion, after which the Job itself completes and no further Pods are created.

Exam trap

CNCF often tests the misconception that a Deployment can be used for any workload, but the trap here is that a Deployment's restart policy (Always) makes it unsuitable for terminating batch jobs, whereas a Job's restart policy (OnFailure or Never) is specifically designed for finite tasks.

How to eliminate wrong answers

Option A is wrong because a Deployment is designed for long-running, stateless applications that must maintain a desired replica count indefinitely; it will restart Pods upon completion, which is the opposite of a terminating batch job. Option B is wrong because a DaemonSet ensures that a copy of a Pod runs on every (or selected) Node in the cluster, typically for cluster-wide services like logging or monitoring, not for a one-time batch task. Option C is wrong because a StatefulSet is intended for stateful applications that require stable, unique network identities and persistent storage, such as databases, and it maintains a sticky identity across restarts, which is unnecessary and inappropriate for a terminating queue-processing job.

52
MCQmedium

Which component of the Istio service mesh is responsible for certificate signing and identity management?

A.Envoy
B.Citadel
C.Mixer
D.Pilot
AnswerB

Citadel manages certificates and identity.

Why this answer

Istio's security features are managed by Citadel (now part of istiod), which handles certificate signing and identity. Envoy is the proxy, Pilot provides service discovery, and Mixer was an older component for policy (now deprecated).

53
MCQmedium

Which component on a worker node is responsible for enforcing the network rules and implementing Service abstractions?

A.kube-proxy
B.kubelet
C.container runtime
D.kube-scheduler
AnswerA

kube-proxy maintains network rules for Service connectivity.

Why this answer

kube-proxy runs on each node and handles network proxying and load balancing for Services.

54
MCQhard

You are designing a microservices application. Which of the following is a key principle of microservices architecture?

A.Services are loosely coupled and can be deployed independently
B.Services are tightly coupled to allow fast communication
C.All services must be written in the same programming language
D.All services must share a common database
AnswerA

This enables agility and scalability.

Why this answer

Option A is correct because microservices architecture is fundamentally defined by loose coupling and independent deployability. Each service encapsulates its own domain logic, communicates via lightweight protocols like HTTP/REST or gRPC, and can be updated, scaled, or deployed without affecting other services. This aligns with the Kubernetes-native pattern of managing each microservice as a separate Deployment or StatefulSet, enabling continuous delivery and resilience.

Exam trap

CNCF often tests the misconception that microservices require a single shared database or a single programming language, confusing microservices with a distributed monolith; the trap here is assuming that 'fast communication' (Option B) justifies tight coupling, when in reality loose coupling is prioritized for resilience and independent deployability.

How to eliminate wrong answers

Option B is wrong because tight coupling contradicts the core principle of microservices; it would create a monolithic dependency graph where a change in one service requires coordinated changes in others, negating the benefits of independent scaling and fault isolation. Option C is wrong because microservices explicitly allow polyglot programming — each service can be written in the language best suited for its task (e.g., Go for high-throughput services, Python for data processing) and communicate over standard protocols. Option D is wrong because sharing a single database creates tight coupling at the data layer, violating service autonomy; each microservice should own its private database (database-per-service pattern) to avoid schema conflicts and enable independent schema evolution.

55
MCQmedium

You have a Deployment named 'web-app' that manages 3 replicas. You need to update the container image from version 1.0 to 2.0 with zero downtime. Which Kubernetes feature is designed to handle this automatically when you update the Deployment's pod template?

A.ReplicationController
B.Rolling update strategy in the Deployment
C.DaemonSet
D.StatefulSet's onDelete strategy
AnswerB

The rolling update strategy is the default update strategy for Deployments, enabling gradual pod replacement with zero downtime.

Why this answer

The correct answer is B because a Deployment's default update strategy is 'RollingUpdate', which automatically replaces old Pods with new ones in a controlled manner, ensuring zero downtime by incrementally scaling down old replicas and scaling up new replicas. When you update the container image in the Deployment's pod template, Kubernetes triggers a rolling update that maintains the desired number of replicas throughout the process.

Exam trap

The trap here is that candidates may confuse the Deployment's automatic rolling update with manual update methods (like onDelete) or think that a ReplicationController or DaemonSet can handle zero-downtime updates in the same way, but only the Deployment's RollingUpdate strategy provides this out-of-the-box behavior for stateless applications.

How to eliminate wrong answers

Option A is wrong because a ReplicationController does not support rolling updates natively; it only ensures a specified number of Pod replicas are running, and updating its pod template requires manual deletion and recreation of Pods, causing downtime. Option C is wrong because a DaemonSet ensures that a copy of a Pod runs on all (or a subset of) nodes, and it is not designed for managing stateless application replicas with zero-downtime updates; its update strategy can be RollingUpdate or OnDelete, but it is not the feature intended for a Deployment like 'web-app'. Option D is wrong because StatefulSet's onDelete strategy requires manual Pod deletion to trigger updates, which does not provide automatic zero-downtime updates; StatefulSets are designed for stateful applications and their default update strategy is RollingUpdate, but the question asks about a Deployment, not a StatefulSet.

56
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Pod
B.Deployment
C.Node
D.Container
AnswerA

A Pod is the smallest deployable unit that can be created and managed in Kubernetes.

Why this answer

Option A is correct. A Pod is the smallest and simplest unit in Kubernetes. It represents a single instance of a running process and can contain one or more containers.

Containers themselves are not directly managed by Kubernetes; they are encapsulated in Pods.

57
MCQhard

A company wants to implement a serverless function that processes events from an Amazon S3 bucket. The function should scale to zero when idle and only incur costs during execution. Which technology is BEST suited for this requirement?

A.Knative
B.Apache Kafka
C.AWS Lambda
D.Kubernetes CronJob
AnswerC

AWS Lambda is a FaaS platform that executes code in response to events and scales to zero when idle.

Why this answer

Option A is correct. AWS Lambda is a FaaS (Function as a Service) that scales to zero when idle and is event-driven. Option B (Apache Kafka) is a streaming platform, not serverless functions.

Option C (Knative) is serverless but runs on Kubernetes, requiring cluster management. Option D (Kubernetes CronJob) is for scheduled jobs, not event-driven, and does not scale to zero automatically.

58
MCQmedium

A Deployment manages ReplicaSets and supports rolling updates. You want to change the container image of a Deployment without downtime. What is the recommended approach?

A.Use kubectl expose to update the image on the service
B.Delete the existing Deployment and create a new one with the updated image
C.Edit the Deployment's pod template spec to use the new image; the Deployment will automatically perform a rolling update
D.Manually delete all pods one by one; they will be recreated with the new image by the ReplicaSet
AnswerC

Changing the pod template triggers a rolling update managed by the Deployment.

Why this answer

The correct approach is to update the Deployment's pod template (e.g., spec.template.spec.containers[0].image) and apply the change. The Deployment controller then performs a rolling update by gradually replacing pods with the new image.

59
MCQeasy

Which Kubernetes component is responsible for maintaining the desired state of the cluster?

A.Deployment controller
B.kube-proxy
C.kubelet
D.etcd
AnswerA

The Deployment controller ensures the desired number of pod replicas is running.

Why this answer

The Deployment controller is a core Kubernetes controller that runs as part of the kube-controller-manager. It continuously watches the cluster's current state via the API server and reconciles it with the desired state defined in Deployment objects, ensuring the correct number of Pod replicas are running, updated, and available. This makes it the primary component responsible for maintaining the desired state of the cluster for stateless workloads.

Exam trap

CNCF often tests the misconception that etcd is responsible for maintaining desired state because it stores the desired state, but candidates must remember that etcd is only a data store, not an active controller that reconciles state.

How to eliminate wrong answers

Option B (kube-proxy) is wrong because it is a network proxy that runs on each node, handling service-to-Pod traffic routing using iptables or IPVS rules, not maintaining desired state. Option C (kubelet) is wrong because it is the node agent that ensures containers are running in a Pod as specified by the PodSpec, but it only acts on instructions from the API server and does not maintain the overall desired state of the cluster. Option D (etcd) is wrong because it is a distributed key-value store that holds the cluster's configuration and state data, but it is a passive storage backend and does not actively reconcile or maintain the desired state.

60
Multi-Selectmedium

Which THREE of the following are valid options for the 'kubectl get' command to display output in different formats?

Select 3 answers
A.-o verbose
B.-o wide
C.-o json
D.-o yaml
E.--describe
AnswersB, C, D

Output with additional details.

Why this answer

Option B is correct because `kubectl get -o wide` is a valid output format that displays additional details such as node names and internal IPs for pods, or cluster IPs and ports for services, beyond the default summary columns. This is a standard kubectl output flag for human-readable extended output.

Exam trap

CNCF often tests the distinction between output format flags (`-o`) and separate subcommands (`describe`), trapping candidates who confuse `--describe` with `-o wide` or think `-o verbose` is a real format.

61
Multi-Selecthard

Which three of the following are valid ways to expose a service externally in Kubernetes? (Select THREE.)

Select 3 answers
A.Ingress
B.ExternalName
C.NodePort
D.LoadBalancer
E.ClusterIP
AnswersA, C, D

Ingress provides HTTP/S routing and can expose services externally.

Why this answer

Ingress is correct because it provides HTTP/HTTPS-based external access to services using host-based or path-based routing rules, typically via an Ingress controller (e.g., NGINX, Traefik). It exposes a service externally by defining rules that map external traffic to internal ClusterIP services, making it a valid method for external exposure.

Exam trap

The trap here is that candidates often confuse ExternalName as an external exposure method because of its name, but it only creates a DNS alias within the cluster and does not expose the service to external clients.

62
MCQhard

A cluster has a node with the taint 'node-role.kubernetes.io/control-plane:NoSchedule'. A pod must be scheduled on this node for a special workload. Which action is required?

A.Use a nodeSelector to select the node.
B.Remove the taint from the node.
C.Add a toleration to the pod spec.
D.Use podAffinity to attract the pod to the node.
AnswerC

Correct; toleration allows the pod to be scheduled on the tainted node.

Why this answer

Option C is correct because a taint on a node causes the scheduler to avoid placing pods on that node unless the pod explicitly tolerates the taint. By adding a toleration in the pod spec that matches the taint key, effect, and optionally the value, the pod becomes eligible to be scheduled on the tainted node. This is the standard Kubernetes mechanism for allowing pods to run on control-plane or other specially tainted nodes.

Exam trap

The trap here is that candidates confuse nodeSelector (label-based) with tolerations (taint-based), thinking that selecting a node by label can override a taint, when in fact taints are a separate, higher-priority scheduling constraint.

How to eliminate wrong answers

Option A is wrong because a nodeSelector only matches node labels, not taints; it cannot override the scheduling restriction imposed by a NoSchedule taint. Option B is wrong because removing the taint would affect all pods and is unnecessary when only a specific pod needs to run on that node; it also violates the principle of least privilege. Option D is wrong because podAffinity attracts pods based on labels of other pods, not node-level taints, and does not bypass the NoSchedule effect.

63
MCQmedium

Which component in a service mesh is responsible for handling traffic management, security, and observability as a sidecar proxy?

A.Pilot
B.Mixer
C.Citadel
D.Envoy
AnswerD

Envoy acts as the data plane proxy.

Why this answer

Envoy is the most common sidecar proxy used in service meshes like Istio.

64
MCQmedium

An organization uses Prometheus and Grafana for monitoring. They want to alert when the 99th percentile of request latency exceeds 500ms for more than 5 minutes. Which PromQL query should they use in the alert rule?

A.histogram_quantile(0.99, rate(http_request_duration_seconds_bucket[1m])) > 0.5
B.histogram_quantile(0.99, rate(http_request_duration_seconds_bucket[5m])) > 0.5
C.avg(rate(http_request_duration_seconds_bucket[5m])) > 0.5
D.max(rate(http_request_duration_seconds_bucket[5m])) > 0.5
AnswerB

Correctly calculates 99th percentile over 5 minutes, then compares to 0.5 seconds.

Why this answer

Option B is correct because it uses `histogram_quantile(0.99, rate(...[5m]))` to calculate the 99th percentile request latency over a 5-minute window, matching the requirement to alert when this value exceeds 500ms (0.5 seconds) for more than 5 minutes. The `rate()` function with a 5m range computes the per-second increase of bucket counters over that duration, which is necessary for accurate quantile estimation in Prometheus.

Exam trap

The trap here is that candidates often pick a 1-minute rate window (Option A) thinking it provides faster detection, but the question explicitly requires a 5-minute sustained condition, and Prometheus alert rules evaluate the query over the rule evaluation interval, not the rate window.

How to eliminate wrong answers

Option A is wrong because it uses a 1-minute rate window (`[1m]`), which does not align with the requirement to evaluate over a 5-minute period; this would cause the alert to trigger on short bursts rather than sustained latency. Option C is wrong because `avg(rate(...))` calculates the average rate across all buckets, which has no relation to percentile latency and cannot detect the 99th percentile threshold. Option D is wrong because `max(rate(...))` takes the maximum rate across buckets, which is not a percentile metric and would incorrectly alert on the highest bucket's rate rather than the 99th percentile latency.

65
MCQmedium

A team is migrating a legacy application to Kubernetes. The application requires persistent storage and needs to maintain session affinity. Which set of Kubernetes resources should they use?

A.Deployment with a ClusterIP Service and Ingress.
B.Job with a LoadBalancer Service.
C.DaemonSet with a NodePort Service.
D.StatefulSet with a headless Service and Service with session affinity.
AnswerD

StatefulSet gives stable identities and persistent storage; session affinity ensures stickiness.

Why this answer

StatefulSet is the correct choice because it provides stable, unique network identities and persistent storage per pod, which are essential for stateful applications. A headless Service allows direct pod-to-pod communication without load balancing, while a regular Service with session affinity (using `externalTrafficPolicy: Local` or `sessionAffinity: ClientIP`) ensures client requests stick to the same pod, maintaining session state.

Exam trap

CNCF often tests the misconception that a Deployment with a standard Service is sufficient for stateful workloads, ignoring that StatefulSet is required for stable storage and identity, and that session affinity must be explicitly configured on the Service, not assumed from Ingress or LoadBalancer alone.

How to eliminate wrong answers

Option A is wrong because a Deployment with ClusterIP Service and Ingress does not guarantee stable pod identities or persistent storage per pod; Deployments treat pods as ephemeral, and Ingress alone cannot enforce session affinity at the pod level. Option B is wrong because a Job is designed for batch processing and terminates after completion, making it unsuitable for a long-running application requiring persistent storage and session affinity; a LoadBalancer Service also does not provide stable pod identities. Option C is wrong because a DaemonSet runs one pod per node, which does not provide the ordered, stable pod identities needed for persistent storage and session affinity; NodePort Service exposes pods on a static port per node but does not ensure session stickiness or stable storage.

66
MCQmedium

You want to update a Deployment's container image from 'nginx:1.20' to 'nginx:1.21' and record the change. Which kubectl command should you use?

A.kubectl edit deployment nginx
B.kubectl apply -f deployment.yaml
C.kubectl set image deployment/nginx nginx=nginx:1.21 --record
D.kubectl set image deployment/nginx nginx=nginx:1.21
AnswerC

The --record flag annotates the change for history.

Why this answer

kubectl set image deployment/<name> <container>=<image> --record records the command in the rollout history.

67
MCQmedium

A developer wants to run a container image locally for testing before deploying to a Kubernetes cluster. Which tool is most appropriate for this task?

A.Ansible
B.Docker
C.Kubernetes
D.Terraform
AnswerB

Docker allows developers to run containers locally with a simple command, suitable for testing.

Why this answer

Docker is a widely used tool for building and running containers locally. While Kubernetes can run containers, it is overkill for local testing of a single container.

68
MCQhard

You create a Service of type ClusterIP in the 'default' namespace. You try to reach the Service from a pod in the 'production' namespace using the service name. The connection fails. What is the most likely reason?

A.The pod cannot resolve the DNS name because service DNS names are only resolvable within the same namespace
B.Cross-namespace service access is not allowed by default
C.The service has no endpoints
D.The service port is not correctly configured
AnswerA

DNS resolution for services is namespace-scoped; you need to use the FQDN.

Why this answer

Service DNS names are scoped to namespaces. To access a service in another namespace, you must use the fully qualified name: <service>.<namespace>.svc.cluster.local.

69
MCQhard

You have a Deployment that runs a web application. You need to expose this application externally on a fixed port using a cloud load balancer. Which Service type should you use?

A.NodePort
B.LoadBalancer
C.ExternalName
D.ClusterIP
AnswerB

LoadBalancer provisions an external load balancer and assigns a fixed external IP.

Why this answer

A LoadBalancer Service type provisions an external cloud load balancer (e.g., AWS ELB, GCP TCP/UDP Load Balancer) that exposes the application on a fixed port (typically 80/443) and distributes traffic to the Pods. This is the correct choice because the requirement explicitly asks for a cloud load balancer with a fixed external port, which is exactly what LoadBalancer provides by integrating with the underlying cloud provider's API.

Exam trap

CNCF often tests the misconception that NodePort is sufficient for external access, but the question's requirement for a 'cloud load balancer' and 'fixed port' (like 80/443) disqualifies NodePort because it uses a high port range and lacks cloud LB integration.

How to eliminate wrong answers

Option A is wrong because NodePort exposes the application on a static port on each node's IP (range 30000-32767), not via a cloud load balancer, and does not provide a fixed external port like 80 or 443. Option C is wrong because ExternalName maps a Service to a DNS name (CNAME record) and does not expose any ports or provide load balancing; it is used for external service discovery, not for exposing an application externally. Option D is wrong because ClusterIP exposes the Service only on a cluster-internal IP, making it unreachable from outside the cluster without additional components like an Ingress or a proxy.

70
MCQmedium

Which component runs on every node and is responsible for maintaining network rules that allow communication to Pods from network endpoints?

A.kube-controller-manager
B.kube-proxy
C.container runtime
D.kubelet
AnswerB

kube-proxy maintains network rules for service connectivity.

Why this answer

kube-proxy runs on each node and implements network rules (e.g., iptables, IPVS) to manage service-to-pod communication.

71
MCQeasy

You want to view the logs of a running pod named 'my-pod'. Which kubectl command should you use?

A.kubectl exec my-pod -- cat /var/log/container.log
B.kubectl logs my-pod
C.kubectl get pod my-pod -o yaml
D.kubectl describe pod my-pod
AnswerB

This prints the pod's logs.

Why this answer

kubectl logs <pod-name> fetches logs from the container(s) in the pod.

72
Multi-Selectmedium

Which THREE of the following are valid types of Kubernetes Services? (Select THREE)

Select 3 answers
A.InternalIP
B.LoadBalancer
C.NodePort
D.ExternalName
E.ClusterIP
AnswersB, C, E

LoadBalancer exposes the Service externally via a cloud provider's load balancer.

Why this answer

ClusterIP, NodePort, and LoadBalancer are standard Service types. ExternalName is also valid, but InternalIP is not a Service type.

73
MCQmedium

What is the purpose of kube-proxy on a worker node?

A.To run the container runtime
B.To store cluster configuration data
C.To implement network rules and handle service traffic routing
D.To monitor pod health and restart unhealthy containers
AnswerC

kube-proxy configures iptables or IPVS rules to route traffic to the correct Pods.

Why this answer

Option C is correct because kube-proxy is the component responsible for implementing network rules on each worker node, enabling service abstraction by managing IP tables or IPVS rules to route traffic to the appropriate pods. It handles service discovery and load balancing for ClusterIP, NodePort, and LoadBalancer service types, ensuring that traffic destined for a service is correctly forwarded to healthy pod endpoints.

Exam trap

CNCF often tests the misconception that kube-proxy handles pod health checks and restarts, but that is actually the kubelet's job, while kube-proxy only deals with network traffic routing and service abstraction.

How to eliminate wrong answers

Option A is wrong because the container runtime (e.g., containerd, CRI-O) is a separate component that runs containers, not kube-proxy. Option B is wrong because cluster configuration data is stored in etcd, a distributed key-value store, not in kube-proxy. Option D is wrong because monitoring pod health and restarting unhealthy containers is the responsibility of the kubelet, specifically through liveness probes and pod lifecycle management, not kube-proxy.

74
MCQeasy

What is the purpose of the metrics-server in Kubernetes?

A.To provide resource usage metrics for pods and nodes
B.To manage service meshes
C.To collect application logs
D.To store historical metrics
AnswerA

The metrics-server exposes CPU and memory metrics from kubelets.

Why this answer

The metrics-server provides resource metrics (CPU and memory) per pod and node, used by kubectl top and the Horizontal Pod Autoscaler.

75
MCQmedium

Which Kubernetes resource provides stable network endpoints for a set of pods, enabling service discovery and load balancing?

A.Service
B.NetworkPolicy
C.Ingress
D.EndpointSlice
AnswerA

A Service provides a stable endpoint and load balancing for a set of pods, enabling service discovery within the cluster.

Why this answer

A Service is the correct Kubernetes resource because it provides a stable virtual IP (ClusterIP) and DNS name that persists independently of pod lifecycles, enabling reliable service discovery and client-side load balancing across a set of pods selected by labels. This abstraction decouples clients from ephemeral pod IPs, ensuring traffic is routed to healthy pods via kube-proxy and iptables/IPVS rules.

Exam trap

CNCF often tests the misconception that Ingress provides load balancing and stable endpoints directly to pods, when in fact Ingress only routes external traffic to a Service, which is the actual resource providing those capabilities.

How to eliminate wrong answers

Option B is wrong because NetworkPolicy is a firewall rule that controls ingress/egress traffic at the pod level using IP blocks or label selectors, but it does not provide stable network endpoints or load balancing. Option C is wrong because Ingress is an API object that manages external HTTP/HTTPS routing to Services (typically via a controller like NGINX), but it does not itself provide stable endpoints or load balance directly to pods; it relies on a Service for that. Option D is wrong because EndpointSlice is a lower-level resource that tracks the actual pod IPs and ports backing a Service, but it is a data object consumed by kube-proxy, not a resource that provides stable endpoints or load balancing on its own.

Page 1 of 14

Page 2