Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 676750

997 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

You create a Service of type NodePort with nodePort: 30080. The cluster's nodes have IP addresses 10.0.0.1 and 10.0.0.2. From outside the cluster, which address and port can you use to access the Service?

A.10.0.0.1:30080
B.10.0.0.1:80
C.ClusterIP:80
D.10.0.0.2:8080
AnswerA

NodePort makes the service accessible on each node's IP at the nodePort.

Why this answer

NodePort exposes the service on each node's IP at the specified nodePort (30080). The service is reachable via <NodeIP>:<NodePort>. The internal ClusterIP is not reachable externally unless using a proxy or Ingress.

677
MCQhard

A pod named 'web-app' is not able to resolve the hostname 'db-service' from another namespace 'data'. The 'db-service' Service exists in the 'data' namespace. What is the most likely cause?

A.The pod is trying to resolve 'db-service' without the namespace suffix
B.The Service 'db-service' is not exposed on a port
C.The pod's DNS policy is set to 'None'
D.The pod's container image lacks DNS utilities
AnswerA

Pods in a different namespace must use 'db-service.data.svc.cluster.local'.

Why this answer

Kubernetes DNS resolves services in the form <service>.<namespace>.svc.cluster.local. If the pod is in a different namespace, it must use the full DNS name.

678
MCQeasy

Which practice is a key principle of cloud-native architecture?

A.Automated CI/CD pipelines
B.Manual configuration management
C.Tight coupling of services
D.Preferring stateful applications over stateless
AnswerA

Enables rapid and reliable deployments.

Why this answer

Automated CI/CD pipelines are a key principle of cloud-native architecture because they enable rapid, reliable, and repeatable delivery of microservices. By automating build, test, and deployment stages, teams can achieve continuous integration and continuous delivery, which aligns with the cloud-native goals of agility, scalability, and resilience. This automation reduces human error and accelerates the feedback loop, essential for managing distributed systems in dynamic cloud environments.

Exam trap

CNCF often tests the misconception that manual configuration management is acceptable in cloud-native environments, but the trap here is that candidates confuse traditional IT operations with the automated, declarative approach required for cloud-native scalability and resilience.

How to eliminate wrong answers

Option B is wrong because manual configuration management contradicts the cloud-native principle of declarative, automated infrastructure (e.g., using Kubernetes manifests or Terraform), leading to configuration drift and reduced scalability. Option C is wrong because tight coupling of services violates the microservices tenet of loose coupling, which is fundamental to independent deployability and fault isolation in cloud-native architectures. Option D is wrong because cloud-native architecture prefers stateless applications over stateful ones, as stateless services scale horizontally more easily and are simpler to manage; state is typically offloaded to external stores like databases or caches.

679
MCQhard

You need to ensure that a pod runs on a specific node that has an SSD. The node has the label 'disktype=ssd'. How should you configure the pod to target this node?

A.Set spec.affinity.nodeAffinity with requiredDuringSchedulingIgnoredDuringExecution.
B.Set spec.nodeSelector with disktype: ssd.
C.Set spec.tolerations with key=disktype, value=ssd.
D.Set spec.nodeName to the node's name.
AnswerB

NodeSelector is the simplest way to constrain a pod to nodes with a specific label.

Why this answer

NodeSelector with matching label ensures the pod is scheduled on nodes with that label.

680
MCQmedium

A company deploys a microservice application on Kubernetes. They notice that one of the services is returning 5xx errors intermittently. Which observability tool should they use to correlate the errors with resource usage across all pods of that service?

A.Prometheus
B.Grafana
C.Fluentd
D.Jaeger
AnswerA

Prometheus collects metrics and can correlate error rates with resource usage via labels.

Why this answer

Prometheus is the correct choice because it is a monitoring and alerting toolkit designed to collect and store time-series metrics, such as CPU, memory, and request error rates. By querying Prometheus with PromQL, you can correlate 5xx error spikes with resource usage across all pods of a service, as it scrapes metrics from each pod's /metrics endpoint. This direct correlation of application-level errors with infrastructure metrics is not natively provided by the other tools listed.

Exam trap

Cisco often tests the distinction between observability pillars (metrics, logs, traces) and their specific tools, so the trap here is confusing Grafana (a visualization layer) with Prometheus (a metrics backend) or assuming Jaeger (tracing) can correlate resource usage metrics.

How to eliminate wrong answers

Option B (Grafana) is wrong because Grafana is a visualization and dashboarding tool, not a data source; it cannot collect or correlate metrics on its own and relies on Prometheus or other backends for data. Option C (Fluentd) is wrong because Fluentd is a log collector and forwarder, focused on unstructured log data, not on time-series metrics or direct correlation with resource usage. Option D (Jaeger) is wrong because Jaeger is a distributed tracing tool for tracking request paths across services, not for correlating error rates with resource usage metrics like CPU or memory.

681
Multi-Selectmedium

Which two components are part of the Kubernetes worker node? (Choose two.)

Select 2 answers
A.kube-proxy
B.kube-scheduler
C.etcd
D.kubelet
E.kube-apiserver
AnswersA, D

kube-proxy runs on each worker node and manages network rules.

Why this answer

Worker nodes run kubelet, kube-proxy, and container runtime. kube-apiserver and etcd are control plane components.

682
Multi-Selectmedium

Which TWO of the following are characteristics of a microservices architecture? (Select 2)

Select 2 answers
A.Independent deployment of services
B.Tight coupling between services
C.Loose coupling between services
D.Monolithic codebase
E.Shared database for all services
AnswersA, C

Each microservice can be deployed independently.

Why this answer

Option A is correct because microservices architecture is designed to allow each service to be developed, tested, and deployed independently without affecting other services. This independence is achieved through well-defined APIs and versioning strategies, enabling continuous delivery and rapid iteration. In Kubernetes, for example, each microservice can be packaged as a separate container and deployed via its own Deployment resource, allowing updates to one service without downtime for the entire application.

Exam trap

CNCF often tests the misconception that microservices require a shared database for consistency, but the correct pattern is database-per-service to maintain loose coupling and independent scalability.

683
MCQmedium

A developer wants to deploy a stateful application that requires stable network identities and persistent storage. Which Kubernetes resource is best suited for this workload?

A.Deployment
B.DaemonSet
C.StatefulSet
D.Job
AnswerC

StatefulSet provides stable, unique network identifiers and persistent storage for stateful applications.

Why this answer

StatefulSet is the correct choice because it is designed specifically for stateful applications that require stable, unique network identities (via headless Services and ordinal hostnames) and persistent storage (via PersistentVolumeClaims that are retained across Pod rescheduling). Unlike Deployments, StatefulSets guarantee ordered deployment, scaling, and termination, which is essential for databases or message queues.

Exam trap

CNCF often tests the misconception that Deployment can handle stateful workloads because it supports PersistentVolumeClaims, but the trap is that Deployment does not guarantee stable network identities or ordered Pod management, which are critical for stateful applications like databases.

How to eliminate wrong answers

Option A is wrong because Deployment is intended for stateless applications and creates Pods with random, ephemeral identities and no guaranteed storage persistence; it does not provide stable network identities. Option B is wrong because DaemonSet ensures that a copy of a Pod runs on each node (or a subset of nodes) for node-level services like logging or monitoring, not for stateful workloads requiring stable identities and persistent storage. Option D is wrong because Job is designed for batch or one-time tasks that run to completion, not for long-running stateful applications that need persistent storage and stable network identities.

684
Multi-Selectmedium

Which TWO statements are true about Kubernetes Deployments?

Select 2 answers
A.Deployments support rolling updates and rollbacks.
B.Deployments are the recommended controller for stateful applications.
C.A Deployment creates a ReplicaSet to ensure the desired number of pod replicas are running.
D.Deployments can expose applications externally via a built-in load balancer.
E.Deployments are used to run a pod on every node in the cluster.
AnswersA, C

Rolling updates and rollbacks are core features of Deployments.

Why this answer

Option A is correct because Deployments inherently support rolling updates and rollbacks through their declarative update strategy. When you change the pod template in a Deployment, it creates a new ReplicaSet and gradually scales it up while scaling down the old ReplicaSet, ensuring zero-downtime updates. If the update fails, you can roll back to a previous revision using `kubectl rollout undo`, which reverts the Deployment to a prior ReplicaSet state.

Exam trap

CNCF often tests the misconception that Deployments are suitable for stateful workloads or that they inherently expose applications externally, when in fact StatefulSets and Services are the correct components for those responsibilities.

685
Multi-Selecteasy

Which TWO of the following are essential components of a GitOps workflow? (Select two.)

Select 2 answers
A.A separate database for storing desired state
B.A monitoring dashboard for visualizations
C.A CI/CD pipeline that manually applies changes
D.An operator that synchronizes the cluster state with the Git repository
E.A Git repository storing declarative configurations
AnswersD, E

The operator continuously watches Git and applies changes.

Why this answer

Option D is correct because a GitOps workflow relies on an operator (such as Argo CD or Flux) that continuously reconciles the actual cluster state with the desired state declared in a Git repository. This operator automatically detects drift and applies changes to ensure the cluster matches the Git source, which is the core feedback loop of GitOps.

Exam trap

CNCF often tests the misconception that a CI/CD pipeline is the core of GitOps, but the trap here is that GitOps replaces manual or pipeline-driven deployments with an automated reconciliation loop driven by an operator and a Git repository as the source of truth.

686
MCQmedium

Which of the following best describes the purpose of the CNCF (Cloud Native Computing Foundation)?

A.To foster and sustain the cloud native ecosystem through project lifecycle management
B.To standardize cloud computing APIs across cloud providers
C.To own and maintain the Kubernetes project exclusively
D.To provide cloud infrastructure services to open source projects
AnswerA

The CNCF manages projects through graduated, incubating, and sandbox stages to foster the cloud native ecosystem.

Why this answer

Option C is correct. The CNCF's primary purpose is to foster and sustain the ecosystem of cloud native technologies, including managing projects through graduation, incubation, and sandbox stages. Option A is incorrect because the CNCF does not own Kubernetes; it is governed by the CNCF but owned by the community.

Option B is incorrect because the CNCF does not provide cloud services. Option D is incorrect because the CNCF is not a standards body like the IETF.

687
MCQeasy

What is the primary purpose of a Kubernetes Service?

A.To provide a stable network endpoint for a set of pods
B.To implement network routing rules on each node
C.To manage rolling updates of applications
D.To store configuration data as key-value pairs
AnswerA

Services abstract access to pods with a stable IP and DNS name, and load-balance traffic.

Why this answer

A Service provides a stable IP address and DNS name for a set of pods, enabling load-balanced access even as pods are created and destroyed. It does not store configuration data, manage updates, or replace kube-proxy.

688
MCQeasy

What is the primary benefit of containers over virtual machines?

A.Containers provide stronger isolation than VMs
B.Containers use more disk space than VMs
C.Containers require a hypervisor to run
D.Containers are more portable and lightweight because they share the host OS kernel
AnswerD

Containers share the host kernel and only include the application and dependencies, making them portable and efficient.

Why this answer

Containers are more portable and lightweight than virtual machines because they share the host OS kernel, eliminating the need for a separate guest OS per instance. This shared kernel approach reduces resource overhead (CPU, memory, and disk) and enables faster startup times, as containers only package the application and its dependencies without duplicating the operating system.

Exam trap

The trap here is that candidates often confuse isolation strength with portability, assuming containers are more secure because they are lightweight, but Cisco tests the understanding that VMs provide stronger isolation due to separate kernels and hypervisor-level boundaries.

How to eliminate wrong answers

Option A is wrong because containers provide weaker isolation than VMs; VMs use a hypervisor to run separate guest OS kernels, offering stronger security boundaries, whereas containers rely on kernel namespaces and cgroups, which share the host kernel. Option B is wrong because containers use less disk space than VMs, as they do not include a full guest OS image and leverage layered filesystems (e.g., overlay2) to share common layers. Option C is wrong because containers do not require a hypervisor; they run directly on the host OS using container runtime engines like containerd or Docker, whereas VMs require a hypervisor (Type 1 or Type 2) to virtualize hardware.

689
MCQmedium

A team runs a stateless web application in Kubernetes. They have a Deployment named 'web-app' with 5 replicas. They want to ensure that a Service named 'web-svc' distributes traffic evenly to all healthy pods. Which type of Service should they use?

A.ClusterIP
B.Headless Service
C.ExternalName Service
D.NodePort
AnswerA

A ClusterIP Service exposes the application on a cluster-internal IP and load-balances across all pods in the backing set.

Why this answer

A ClusterIP Service is the correct choice because it provides a stable virtual IP address and round-robin load balancing across healthy pods in the Deployment. By default, kube-proxy uses iptables or IPVS rules to distribute traffic evenly to all ready pod endpoints, ensuring stateless web application requests are balanced without requiring external exposure.

Exam trap

The trap here is that candidates may think NodePort or Headless Service are needed for load balancing, but the question specifically asks for internal traffic distribution to pods, and ClusterIP is the default and correct Service type for that purpose, while Headless Service actually removes load balancing entirely.

How to eliminate wrong answers

Option B (Headless Service) is wrong because it does not provide a single virtual IP or load balancing; instead, it returns the IP addresses of all healthy pods via DNS, requiring the client to implement its own load balancing logic. Option C (ExternalName Service) is wrong because it maps the Service to an external DNS name (e.g., an external domain) and does not route traffic to any Kubernetes pods at all. Option D (NodePort) is wrong because it exposes the Service on a static port on each node's IP, which is used for external access and does not change the internal load balancing behavior (it still uses ClusterIP under the hood), but the question asks for the type that distributes traffic evenly to pods, and ClusterIP is the fundamental type for that purpose.

690
MCQeasy

Which Kubernetes component is the primary entry point for all administrative tasks and exposes the REST API?

A.kube-apiserver
B.kube-controller-manager
C.etcd
D.kube-scheduler
AnswerA

The API server is the entry point for all REST API calls.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane, exposing the REST API that all other components and kubectl interact with.

691
Multi-Selectmedium

Which TWO of the following are valid container runtimes that implement the CRI? (Choose two.)

Select 2 answers
A.Kata Containers
B.CRI-O
C.Docker
D.containerd
E.rkt
AnswersB, D

CRI-O is a CRI-compliant runtime.

Why this answer

CRI-O is a lightweight container runtime specifically designed to implement the Kubernetes Container Runtime Interface (CRI), allowing Kubernetes to use OCI-compliant runtimes directly without relying on Docker. It is a valid CRI implementation because it provides the gRPC-based CRI API server and manages container lifecycle using runc or Kata Containers as the underlying OCI runtime.

Exam trap

CNCF often tests the misconception that Docker is a CRI-compliant runtime because it was historically the default container runtime in Kubernetes, but candidates must remember that Docker uses its own API and was only supported via the now-removed dockershim, making containerd and CRI-O the only correct CRI implementations among the options.

692
MCQeasy

Which component is responsible for managing the lifecycle of containers on a Kubernetes node?

A.kube-scheduler
B.kube-controller-manager
C.kube-apiserver
D.kubelet
AnswerD

The kubelet runs on each node and ensures containers are running and healthy.

Why this answer

The kubelet is the primary node agent that runs on each Kubernetes node. It is responsible for ensuring that containers are running in a Pod as expected by interacting with the container runtime (e.g., Docker, containerd) to manage the container lifecycle—starting, stopping, and monitoring containers based on PodSpecs received from the API server.

Exam trap

CNCF often tests the distinction between control-plane components (scheduler, controller-manager, API server) and node-level agents (kubelet), so the trap here is assuming that container lifecycle management is a control-plane function rather than a node-level responsibility.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is responsible for assigning Pods to nodes based on resource availability and constraints, not for managing container lifecycles on a node. Option B is wrong because kube-controller-manager runs controller processes (e.g., ReplicaSet, Deployment controllers) that regulate cluster state, but it does not directly interact with containers on individual nodes. Option C is wrong because kube-apiserver serves as the front-end for the Kubernetes control plane, exposing the Kubernetes API, but it does not manage container lifecycles on nodes; it only provides the interface for kubelet to retrieve Pod specifications.

693
MCQhard

In event-driven architecture, which pattern is commonly used to decouple producers and consumers, allowing asynchronous communication?

A.Event broker (message queue or event bus)
B.Shared database
C.Circuit breaker pattern
D.Synchronous REST API calls
AnswerA

An event broker decouples producers and consumers by acting as an intermediary.

Why this answer

Event-driven architecture decouples producers and consumers via an event broker (e.g., message queue or event bus), enabling asynchronous communication. Direct synchronous calls would couple them.

694
Multi-Selecthard

Which TWO statements about the Container Runtime Interface (CRI) are correct? (Select 2)

Select 2 answers
A.Docker is the primary CRI implementation
B.CRI is responsible for pulling container images
C.CRI allows Kubernetes to use different container runtimes
D.CRI is an OCI specification
E.containerd and CRI-O are CRI-compliant runtimes
AnswersC, E

CRI is a plugin interface that abstracts the container runtime.

Why this answer

Options A and D are correct. CRI is a plugin interface that enables Kubernetes to use different container runtimes (A). It is implemented by runtimes like containerd and CRI-O (D).

Option B is false—CRI is not an OCI spec; OCI has image and runtime specs. Option C is false—Docker was deprecated as a runtime in favor of CRI-compliant runtimes. Option E is false—CRI defines the interface, but the runtime implements it.

695
Multi-Selecthard

Which TWO of the following are features of ArgoCD that support GitOps principles?

Select 2 answers
A.Automatic secret management
B.Health status visualization of applications
C.Built-in template engine for generating manifests
D.Automated sync to desired state defined in Git
E.Self-healing by reverting manual changes
AnswersB, D

ArgoCD provides a UI to show the health and sync status of applications.

Why this answer

ArgoCD automatically syncs the cluster state to the desired state defined in Git (self-healing) and displays health status of applications. It does not generate manifests from templates natively (that's Kustomize's role) nor does it manage secrets directly.

696
Multi-Selectmedium

Which TWO tools are commonly used for GitOps? (Choose two.)

Select 2 answers
A.Flux
B.Jenkins
C.Helm
D.Terraform
E.ArgoCD
AnswersA, E

Flux is a GitOps operator for Kubernetes.

Why this answer

ArgoCD and Flux are two popular GitOps tools that automate deployment of applications from Git repositories.

697
Multi-Selecthard

Which TWO are benefits of using a service mesh in cloud-native applications?

Select 2 answers
A.Eliminates need for application monitoring
B.Advanced traffic management capabilities
C.Simplified persistent storage management
D.Automatic mTLS encryption between services
E.Reduced network latency
AnswersB, D

Traffic routing, retries, etc.

Why this answer

Option B is correct because a service mesh provides advanced traffic management capabilities such as fine-grained routing, canary deployments, and circuit breaking through sidecar proxies (e.g., Envoy). These capabilities allow operators to control traffic flow between microservices without modifying application code, enabling resilient and observable communication patterns.

Exam trap

CNCF often tests the misconception that a service mesh reduces latency or replaces monitoring, when in fact it adds a small overhead and complements, rather than replaces, existing monitoring tools.

698
Multi-Selectmedium

Which THREE of the following are characteristics of a microservices architecture? (Select 3)

Select 3 answers
A.Services share the same database schema
B.Loose coupling between services
C.Independent deployment of services
D.All services are packaged in a single monolithic deployment
E.Decomposition of application into small, independent services
AnswersB, C, E

Services communicate via APIs, reducing dependencies.

Why this answer

Option B is correct because microservices architecture emphasizes loose coupling, where each service communicates via well-defined APIs (e.g., REST, gRPC) and does not share internal implementation details. This allows services to evolve independently without affecting others, which is a core principle of the architecture.

Exam trap

CNCF often tests the misconception that microservices share a database or are deployed as a single unit, confusing them with monolithic or service-oriented architectures (SOA) that may share schemas.

699
Drag & Dropmedium

Drag and drop the steps to configure a Kubernetes Service of type LoadBalancer in a cloud environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First deploy the app, then define and create the LoadBalancer service, retrieve the IP, and access it.

700
MCQhard

You have a Deployment defined with replicas: 5. You run 'kubectl scale deployment myapp --replicas=3'. Which component is responsible for ensuring the actual number of Pods matches the desired 3?

A.etcd
B.Deployment controller in kube-controller-manager
C.kubelet
D.kube-scheduler
AnswerB

The Deployment controller watches the Deployment and manages the ReplicaSet to achieve the desired number of replicas.

Why this answer

The Deployment controller, which runs as part of the kube-controller-manager, is responsible for reconciling the desired state of a Deployment. When you run 'kubectl scale deployment myapp --replicas=3', the Deployment controller detects the change in the Deployment's replica count and creates or deletes Pods via the ReplicaSet controller to match the desired 3 replicas.

Exam trap

CNCF often tests the misconception that kubelet or kube-scheduler handles scaling, when in fact kubelet only manages local Pod lifecycle and the scheduler only places Pods on nodes, while the Deployment controller in the kube-controller-manager is the component that reconciles replica counts.

How to eliminate wrong answers

Option A is wrong because etcd is a distributed key-value store that holds cluster state, but it does not perform reconciliation or enforce desired replica counts; it only stores the data that controllers read and write. Option C is wrong because kubelet is an agent that runs on each node and manages Pods on that node, but it does not scale Deployments or manage replica counts across the cluster. Option D is wrong because kube-scheduler is responsible for assigning Pods to nodes based on resource availability and constraints, not for ensuring the number of Pods matches a desired replica count.

701
MCQhard

You have a YAML manifest for a Deployment with 'apiVersion: extensions/v1beta1'. When you run 'kubectl apply -f manifest.yaml', you get an error. What is the most likely cause?

A.The apiVersion is deprecated and not supported
B.The namespace does not exist
C.The YAML syntax is invalid
D.The 'kind' field is misspelled
AnswerA

Deployments should use 'apps/v1'.

Why this answer

The apiVersion 'extensions/v1beta1' for Deployments is deprecated and removed in newer Kubernetes versions. The correct apiVersion is 'apps/v1'.

702
Multi-Selecthard

Which TWO of the following are true about Pod resource limits? (Select TWO)

Select 2 answers
A.A container can use more memory than its limit if the node has free memory
B.CPU limits are enforced using CFS quotas
C.Memory limits are soft and can be exceeded temporarily
D.Limits must be greater than or equal to requests
E.Setting CPU limits guarantees that a container will always get that much CPU
AnswersB, D

CPU limits are enforced via Completely Fair Scheduler (CFS) quotas.

Why this answer

Limits can be higher than requests, and if a container exceeds its memory limit, it may be OOMKilled. Limits cannot be lower than requests (Kubernetes enforces that limits >= requests). CPU limits are not always guaranteed; they are a hard cap for CPU time.

703
MCQmedium

A team wants to deploy a batch job that runs once to process a large dataset. The job should run to completion and then terminate. Which Kubernetes resource should be used?

A.DaemonSet
B.CronJob
C.Deployment
D.Job
AnswerD

Job runs pods until completion, ideal for batch processing.

Why this answer

A Job resource is designed for batch processing tasks that run to completion and then terminate. It creates one or more Pods and ensures they successfully finish their work, making it the correct choice for a one-time data processing job.

Exam trap

CNCF often tests the distinction between long-running workloads (Deployments, DaemonSets) and finite tasks (Jobs), so the trap here is confusing a one-time batch job with a CronJob due to the word 'batch' or assuming a Deployment can handle termination.

How to eliminate wrong answers

Option A is wrong because a DaemonSet ensures a Pod runs on every node (or a subset) for continuous daemon-like services, not for a one-time batch job. Option B is wrong because a CronJob is used for scheduled, recurring tasks, not a single run. Option C is wrong because a Deployment manages long-running, stateless applications with desired replicas and rolling updates, not a terminating batch job.

704
MCQeasy

What is the primary purpose of continuous integration (CI) in a cloud-native application delivery pipeline?

A.To automatically build and test code changes upon commit
B.To manage infrastructure provisioning
C.To manage container images and registries
D.To automatically deploy code changes to production
AnswerA

Why this answer

CI automates building and testing code changes to catch integration issues early. Option A correctly describes this. Option B is continuous deployment.

Option C refers to infrastructure as code. Option D is continuous delivery.

705
MCQmedium

You need to update a running Deployment to use a new container image. Which kubectl command should you use?

A.kubectl replace -f deployment.yaml
B.kubectl set image deployment/<name> <container>=<new-image>
C.kubectl edit deployment <name>
D.kubectl patch deployment <name> -p '{"spec":{"template":{"spec":{"containers":[{"name":"<container>","image":"<new-image>"}]}}}}'
AnswerB

This command directly updates the image.

Why this answer

kubectl set image updates the image of a container in a Deployment.

706
Multi-Selectmedium

Which TWO of the following are benefits of using Helm for managing Kubernetes applications?

Select 2 answers
A.Automatic scaling of pods based on CPU usage
B.Native integration with service mesh for traffic splitting
C.Templating engine for parameterizing Kubernetes manifests
D.Ability to perform rollbacks to previous releases
E.Built-in support for canary deployments
AnswersC, D

Helm uses Go templates to create reusable charts.

Why this answer

Helm provides templating for reusable configurations and allows for easy rollback to previous releases.

707
MCQmedium

Which of the following is an example of Infrastructure as Code (IaC) tool?

A.Kubernetes
B.Terraform
C.Docker
D.Prometheus
AnswerB

Terraform is a declarative IaC tool for provisioning infrastructure.

Why this answer

Terraform is a widely used IaC tool that allows declarative definition of infrastructure across multiple cloud providers.

708
MCQmedium

What is the concept of 'immutable infrastructure' as applied to Kubernetes?

A.Configuration is stored in environment variables only
B.Containers are rebuilt from the same base image every time
C.Infrastructure components are never replaced; they are updated in place
D.Pods are replaced with new versions rather than being modified
AnswerD

Correct. Immutable infrastructure replaces rather than patches.

Why this answer

Immutable infrastructure in Kubernetes means that instead of modifying running Pods or their containers (e.g., patching a binary or updating a config file in place), you replace the entire Pod with a new version. This is enforced by Kubernetes' declarative model: when you update a Deployment's Pod template, the controller creates new Pods with the new image and terminates the old ones. This ensures consistency, repeatability, and eliminates configuration drift, as every change results in a fresh, identical instance from the same image.

Exam trap

CNCF often tests the distinction between 'immutable' (replace) and 'mutable' (update in place), and the trap here is that candidates confuse the concept with build-time practices (like using the same base image) or configuration injection methods, rather than the core runtime behavior of replacing Pods.

How to eliminate wrong answers

Option A is wrong because storing configuration only in environment variables is a specific pattern (e.g., 12-factor app), but it does not define immutability; immutable infrastructure requires replacing the entire unit, not just how config is injected. Option B is wrong because rebuilding containers from the same base image every time describes a build practice (e.g., using Dockerfile layers), but immutability is about the runtime behavior of replacing Pods, not the image build process. Option C is wrong because it describes mutable infrastructure (e.g., SSHing into a server to apply updates), which is the exact opposite of immutability; immutable infrastructure mandates that components are never updated in place—they are destroyed and recreated.

709
Multi-Selecthard

Which THREE of the following are true about the Open Container Initiative (OCI)? (Choose 3)

Select 3 answers
A.Docker is an OCI runtime specification
B.OCI is governed by the Cloud Native Computing Foundation (CNCF)
C.OCI defines both an image spec and a runtime spec
D.containerd is an OCI-compliant container runtime
E.Docker images are OCI-compliant
AnswersC, D, E

The OCI maintains the Image Specification and Runtime Specification.

Why this answer

The OCI defines the image spec and runtime spec, ensuring interoperability between container tools. containerd is an OCI-compliant runtime. Docker images are OCI-compliant. Docker itself is not a runtime spec but a platform that uses runtimes.

710
MCQmedium

A company wants to run a batch job that processes data and then terminates. Which Kubernetes resource should they use?

A.CronJob
B.Job
C.Deployment
D.DaemonSet
AnswerB

Jobs create one or more pods and ensure they successfully terminate, ideal for batch processing.

Why this answer

A Job is the correct Kubernetes resource for a batch job that processes data and then terminates. Unlike controllers that maintain a desired state (like Deployments), a Job creates one or more Pods and ensures they run to successful completion. Once the specified number of Pods terminate successfully, the Job is considered complete and does not restart the Pods, making it ideal for one-off or finite processing tasks.

Exam trap

CNCF often tests the distinction between controllers that maintain a desired state (Deployment, DaemonSet) versus controllers that run to completion (Job, CronJob), and the trap here is that candidates may confuse a CronJob with a Job, forgetting that CronJob adds a scheduling layer for periodic execution, not for a single run.

How to eliminate wrong answers

Option A is wrong because a CronJob is designed for scheduling recurring tasks on a time-based schedule (e.g., every hour), not for a single batch job that runs once and terminates. Option C is wrong because a Deployment is meant to run a set of Pods continuously, ensuring a specified number of replicas are always running; it will restart Pods if they exit, which is the opposite of a terminating batch job. Option D is wrong because a DaemonSet ensures that a copy of a Pod runs on every (or selected) node in the cluster, typically for long-running system services like log collectors or monitoring agents, not for one-off batch processing.

711
MCQhard

When using Kustomize, how do you apply a common label to all resources in the base?

A.By editing each YAML file individually
B.By setting 'commonLabels' in the kustomization.yaml
C.By using the 'patches' field to add labels
D.By using a Helm chart instead of Kustomize
AnswerB

commonLabels is designed for this purpose.

Why this answer

Kustomize's commonLabels field adds labels to all resources, including selectors.

712
MCQmedium

You need to expose a set of pods running a web application to internal cluster traffic on a stable IP address. Which resource should you create?

A.Service of type NodePort
B.Ingress
C.NetworkPolicy
D.Service of type ClusterIP
AnswerD

Why this answer

A Service of type ClusterIP exposes the set of pods on a stable, internal IP address that is only reachable within the cluster. This is the default Service type and is specifically designed for internal cluster traffic, providing a stable virtual IP (VIP) that load-balances requests to the underlying pods.

Exam trap

CNCF often tests the distinction between internal and external exposure, and the trap here is that candidates may confuse a Service of type ClusterIP with NodePort, thinking NodePort is needed for any stable IP, when ClusterIP is the correct choice for internal-only traffic.

How to eliminate wrong answers

Option A is wrong because a Service of type NodePort exposes the service on a static port on each node's IP address, making it accessible from outside the cluster, not just internally. Option B is wrong because an Ingress is an API object that manages external HTTP/HTTPS access to services, typically requiring a Service of type NodePort or LoadBalancer to route traffic, and does not itself provide a stable internal IP. Option C is wrong because a NetworkPolicy is a security resource that controls ingress and egress traffic to/from pods based on labels and ports, but it does not expose pods or provide a stable IP address.

713
MCQmedium

A developer deploys a pod that continuously restarts. 'kubectl describe pod' shows the container exits with code 137. What is the most likely cause?

A.The container is exceeding its memory limit and being OOM-killed.
B.The liveness probe is failing and restarting the container.
C.The init container is failing and blocking the main container.
D.The pod is hitting a resource quota limit at the namespace level.
AnswerA

Exit code 137 indicates SIGKILL, often from OOM.

Why this answer

Exit code 137 (128 + 9) indicates the container was killed by SIGKILL. In Kubernetes, this most commonly occurs when the container exceeds its memory limit, triggering the OOM (Out-Of-Memory) killer. The kubelet enforces the resource limits specified in the pod spec, and when memory usage surpasses the limit, the kernel terminates the process with SIGKILL, resulting in exit code 137.

Exam trap

Cisco often tests the distinction between exit codes and probe failures; the trap here is that candidates confuse exit code 137 with a liveness probe failure, but exit code 137 specifically points to a SIGKILL, not a probe timeout or command failure.

How to eliminate wrong answers

Option B is wrong because a failing liveness probe causes a container restart with exit code 137 only if the probe failure leads to a SIGKILL (which is not typical; liveness probe failures result in exit code 0 or 1 depending on the probe command, not 137). Option C is wrong because init container failures block the main container from starting, but they do not cause the main container to exit with code 137; the main container would never run. Option D is wrong because a namespace-level resource quota limit prevents pod creation or scheduling, not causing a running container to exit with code 137; quota enforcement happens at admission time, not during runtime.

714
MCQeasy

What is the purpose of the 'kubectl scale' command?

A.To update the container image of a Deployment
B.To delete a resource
C.To view the logs of a pod
D.To change the number of replicas in a Deployment
AnswerD

kubectl scale changes the replica count.

Why this answer

kubectl scale changes the number of replicas in a Deployment, ReplicaSet, or similar resource.

715
MCQeasy

Which component of the Kubernetes control plane is responsible for storing the cluster state?

A.kube-apiserver
B.etcd
C.kube-scheduler
D.kube-controller-manager
AnswerB

etcd is the cluster state store.

Why this answer

etcd is a distributed key-value store that stores all cluster data. The API server is the only component that interacts with etcd directly.

716
MCQmedium

Which tool can be used to implement feature flags in a Kubernetes-native progressive delivery setup?

A.Argo Rollouts
B.Kustomize
C.Helm
D.Flux
AnswerA

Argo Rollouts provides canary deployments and integrates with feature flag systems like Flagd.

Why this answer

Argo Rollouts supports progressive delivery with features like canary, blue-green, and integration with service mesh for traffic shifting, and can be combined with feature flag systems.

717
MCQmedium

Which DORA metric measures how quickly code changes are deployed to production?

A.Lead time for changes
B.Mean time to recovery (MTTR)
C.Change failure rate
D.Deployment frequency
AnswerA

This metric tracks the speed from commit to production.

Why this answer

Lead time for changes measures the time from code commit to running in production.

718
MCQmedium

A Pod is stuck in Pending state. Which of the following is the MOST likely cause?

A.The Pod's container is crashing
B.The container image has a typo
C.No node has enough resources to run the Pod
D.The Pod's liveness probe is failing
AnswerC

Scheduler cannot place the Pod, so it remains Pending.

Why this answer

Pending usually indicates that the scheduler cannot find a suitable node, often due to insufficient resources.

719
MCQeasy

What is the primary purpose of the Container Runtime Interface (CRI) in Kubernetes?

A.To store container images in a registry
B.To define the format of container images
C.To manage container network interfaces
D.To provide a standard interface between the kubelet and container runtimes
AnswerD

CRI is a plugin interface that enables the kubelet to use different container runtimes.

Why this answer

The Container Runtime Interface (CRI) is a plugin protocol that enables the kubelet to use any OCI-compliant container runtime (e.g., containerd, CRI-O) without needing to recompile Kubernetes. It defines gRPC APIs for runtime and image service operations, abstracting the runtime implementation from the kubelet's pod lifecycle management.

Exam trap

CNCF often tests the distinction between CRI (runtime abstraction) and CNI (network abstraction), so the trap here is confusing container runtime management with container networking, leading candidates to pick Option C.

How to eliminate wrong answers

Option A is wrong because storing container images in a registry is the function of a container registry (e.g., Docker Hub, Amazon ECR), not the CRI; the CRI's image service pulls images from registries but does not store them. Option B is wrong because defining the format of container images is the responsibility of the OCI Image Specification, not the CRI; the CRI consumes images in that format but does not define it. Option C is wrong because managing container network interfaces is the role of the Container Network Interface (CNI), not the CRI; the CRI focuses on runtime and image operations, while CNI handles network attachment.

720
Multi-Selecteasy

Which TWO of the following are benefits of implementing progressive delivery techniques (e.g., canary releases)?

Select 2 answers
A.Replaces the need for a CI/CD pipeline
B.Allows testing new features with a subset of users
C.Eliminates the need for monitoring and alerting
D.Guarantees zero downtime
E.Reduces the risk of deploying a bad version to all users
AnswersB, E

Canary releases target a small percentage of users for validation.

Why this answer

Progressive delivery reduces risk by gradual rollout and provides the ability to test new versions with a subset of users. It does not eliminate the need for monitoring nor does it replace CI/CD pipelines.

721
MCQhard

A company uses OpenTelemetry to instrument their microservices. They want to ensure that traces from one service can be correlated with those from another service across network calls. Which OpenTelemetry concept enables this correlation?

A.Exporter configuration
B.Span attributes
C.Context propagation
D.Sampling
AnswerC

Context propagation carries trace IDs and other context across service boundaries.

Why this answer

Context propagation allows trace context to be passed between services, enabling distributed tracing correlation.

722
MCQmedium

Which component is responsible for ensuring that containers are running as specified in a Pod's specification on a node?

A.Container runtime
B.kubelet
C.kube-proxy
D.kube-scheduler
AnswerB

The kubelet ensures that containers in a Pod are running according to the PodSpec.

Why this answer

Option B is correct. The kubelet is the primary node agent that communicates with the container runtime and ensures containers are running and healthy. kube-proxy manages network rules, the container runtime runs containers but is not directly responsible for enforcing the spec, and the scheduler assigns pods to nodes.

723
MCQeasy

What does the 'kubectl logs' command retrieve?

A.Audit logs
B.Cluster events
C.Container logs
D.Node logs
AnswerC

kubectl logs shows the logs of a single container.

Why this answer

kubectl logs fetches the standard output and standard error logs from a container in a pod.

724
MCQmedium

A company is adopting a GitOps workflow for their Kubernetes deployments. They want to ensure that the cluster state always matches the desired state defined in a Git repository. Which tool is specifically designed for this purpose?

A.Helm
B.Argo CD
C.Kustomize
D.Prometheus
AnswerB

Argo CD is a GitOps tool that syncs cluster state with a Git repository.

Why this answer

Argo CD is a declarative, GitOps continuous delivery tool specifically designed for Kubernetes that automatically synchronizes the live cluster state with the desired state defined in a Git repository. It continuously monitors the cluster and Git, applying any drift to ensure the cluster matches the repository, which is the core requirement of a GitOps workflow.

Exam trap

The trap here is that candidates often confuse Helm or Kustomize as GitOps tools because they are used in GitOps pipelines, but they lack the continuous reconciliation and drift detection that a dedicated GitOps operator like Argo CD provides.

How to eliminate wrong answers

Option A is wrong because Helm is a package manager for Kubernetes that uses charts to define, install, and upgrade applications, but it does not provide continuous synchronization or drift detection from a Git repository; it is a deployment tool, not a GitOps operator. Option C is wrong because Kustomize is a configuration management tool that allows customizing Kubernetes manifests without templates, but it is a CLI tool or a kubectl plugin, not a controller that continuously reconciles cluster state with a Git repository. Option D is wrong because Prometheus is a monitoring and alerting toolkit for metrics collection and alerting, not a deployment or GitOps tool; it has no mechanism to enforce desired state from Git.

725
MCQmedium

A user runs 'kubectl create deployment my-deploy --image=nginx' and then wants to scale the deployment to 5 replicas. Which command should they use?

A.kubectl apply -f deployment.yaml with replicas: 5
B.kubectl edit deployment my-deploy and change replicas to 5
C.kubectl patch deployment my-deploy -p '{"spec":{"replicas":5}}'
D.kubectl scale deployment my-deploy --replicas=5
AnswerD

Correct command.

Why this answer

kubectl scale deployment my-deploy --replicas=5 is the direct command to change the replica count.

726
Multi-Selectmedium

Which TWO statements about container images are correct? (Choose two.)

Select 2 answers
A.Container images include a full operating system kernel
B.Container images can be stored in a registry like Docker Hub
C.Container images are built from a series of layers
D.Container images are immutable once built
E.Container images can only be built on Linux
AnswersB, C

Registries store and distribute images.

Why this answer

Container images are built in layers and can be stored in registries. They are not immutable once built (they can be overwritten), and they include only the application and dependencies, not a full OS kernel.

727
MCQeasy

Which component in Kubernetes is responsible for maintaining the desired state of the cluster?

A.kube-scheduler
B.kube-proxy
C.kube-controller-manager
D.kubelet
AnswerC

The controller manager runs controllers that enforce the desired state.

Why this answer

The kube-controller-manager is the component that runs controller processes, which are control loops that watch the shared state of the cluster through the API server and make changes to move the current state toward the desired state. It is responsible for ensuring that the cluster's actual state matches the desired state defined in Kubernetes objects such as Deployments, ReplicaSets, and StatefulSets.

Exam trap

CNCF often tests the distinction between the kube-controller-manager and the kubelet, where candidates mistakenly think the kubelet maintains the cluster's desired state because it manages containers on a node, but the kubelet only ensures the pod's containers are healthy on its local node, not the cluster-wide desired state.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is responsible for assigning pods to nodes based on resource availability and scheduling policies, not for maintaining the desired state of the cluster. Option B is wrong because kube-proxy is a network proxy that runs on each node and implements part of the Kubernetes Service concept by maintaining network rules, not for maintaining desired state. Option D is wrong because kubelet is an agent that runs on each node and ensures containers are running in a pod as expected, but it only manages the state on its specific node and does not maintain the overall desired state of the cluster.

728
MCQhard

A pod in a ReplicaSet is failing with 'CrashLoopBackOff'. 'kubectl logs pod' shows 'Error: listen tcp :8080: bind: address already in use'. What is the most likely cause?

A.The readiness probe is misconfigured.
B.The container image is missing the application binary.
C.The container's process is not terminating quickly enough on SIGTERM, causing a port conflict on restart.
D.The pod is using hostPort and two pods on the same node conflict.
AnswerC

Old process still holds the port.

Why this answer

The error 'address already in use' on port 8080 indicates that when the container restarts, the previous process is still holding the port. This typically happens when the application does not handle SIGTERM properly and does not shut down within the terminationGracePeriodSeconds (default 30s), so the old process lingers while the new one tries to bind to the same port, causing a CrashLoopBackOff.

Exam trap

CNCF often tests the distinction between pod startup failures caused by resource constraints or probe misconfiguration versus application-level port conflicts that arise from improper signal handling during restarts.

How to eliminate wrong answers

Option A is wrong because a misconfigured readiness probe would cause the pod to be marked as not ready, but it would not produce a 'bind: address already in use' error in the logs. Option B is wrong because if the container image were missing the application binary, the error would be something like 'executable file not found' or 'no such file or directory', not a port binding error. Option D is wrong because hostPort is used for port mapping to the node, but the error is about a port conflict inside the same container on restart, not between two different pods on the same node.

729
Multi-Selecthard

Which TWO components are part of the core Flux GitOps toolkit? (Choose 2)

Select 2 answers
A.Helm Controller
B.Helm
C.Source Controller
D.ArgoCD Application Controller
E.Kustomize Controller
AnswersC, E

Why this answer

Flux includes Source Controller and Kustomize Controller as core components. Helm Controller is also part of Flux, but the question asks for 'core' components; however, typically the core includes Source, Kustomize, and Helm. But since we need exactly two, the most essential are Source and Kustomize.

ArgoCD is a separate tool. Helm is a separate tool, though Flux has a Helm Controller. The question might expect Source and Kustomize as the answer.

730
MCQeasy

What is the primary purpose of a Kubernetes Service object?

A.To store configuration data that can be consumed by Pods
B.To manage rolling updates and rollbacks for Pods
C.To provide a stable IP address and DNS name for a set of Pods
D.To persist data beyond the lifecycle of a Pod
AnswerC

Services create a durable endpoint that abstracts the underlying Pod IPs, supporting load balancing and service discovery.

Why this answer

Option B is correct. A Service provides a stable network endpoint (IP and DNS name) for a set of Pods, enabling reliable communication even as Pods are created or terminated. Pods themselves have ephemeral IPs.

Services do not provide storage or configuration data.

731
Multi-Selectmedium

Which TWO of the following are Kubernetes control plane components?

Select 2 answers
A.kube-apiserver
B.container runtime
C.etcd
D.kube-proxy
E.kubelet
AnswersA, C

The API server is a core control plane component.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane, exposing the Kubernetes API. It validates and processes RESTful requests (using JSON/YAML over HTTP/HTTPS) that create, update, or delete cluster resources, and it is the only component that communicates directly with etcd. Without the API server, no control plane operations can be performed.

Exam trap

CNCF often tests the distinction between control plane and worker node components, expecting candidates to mistakenly include kubelet or kube-proxy as control plane components because they are essential for cluster operation but run on nodes, not the control plane.

732
MCQeasy

Which tool is commonly used for log aggregation in Kubernetes and is designed to be lightweight?

A.Fluent Bit
B.Jaeger
C.Prometheus
D.Grafana
AnswerA

Fluent Bit is a lightweight log processor for log aggregation.

Why this answer

Fluent Bit is a lightweight log processor and forwarder, often used as a DaemonSet to collect logs.

733
MCQhard

In the context of the 12-factor app methodology, which factor requires that an app's configuration be stored in environment variables?

A.Config
B.Dependencies
C.Codebase
D.Backing services
AnswerA

Why this answer

Factor III (Config) states that configuration should be stored in environment variables to decouple it from code.

734
MCQhard

A pod is stuck in Terminating state for several minutes. What is the most likely cause?

A.The node is unreachable or the kubelet is not responding
B.The deployment is configured with a grace period
C.The pod has a liveness probe that is failing
D.The pod's container runtime is paused
AnswerA

If the kubelet cannot be contacted, the pod cannot be terminated.

Why this answer

When a pod is stuck in Terminating state, the most likely cause is that the node where the pod was running is unreachable or the kubelet is not responding. The kubelet is responsible for executing the pod's termination lifecycle, including sending SIGTERM and, after the grace period, SIGKILL. If the kubelet cannot communicate with the API server (e.g., due to node failure, network partition, or kubelet crash), the pod's finalizer cannot be removed, leaving it stuck in Terminating.

Exam trap

CNCF often tests the misconception that a failing liveness probe or a misconfigured grace period causes a pod to be stuck in Terminating, when in fact the root cause is almost always a node or kubelet communication issue.

How to eliminate wrong answers

Option B is wrong because a deployment configured with a grace period (terminationGracePeriodSeconds) is normal and does not cause a pod to be stuck; the pod will be forcefully terminated after the grace period expires. Option C is wrong because a failing liveness probe causes the pod to be restarted or recreated, not stuck in Terminating; liveness probes affect running pods, not termination. Option D is wrong because a paused container runtime would prevent the pod from starting or running, but it does not prevent the kubelet from completing the termination process; the kubelet can still force-kill the container.

735
MCQhard

Which of the following best describes immutable infrastructure?

A.Servers that are updated in-place with configuration management tools
B.Infrastructure that is version-controlled and deployed using blue/green deployments
C.Infrastructure components that are replaced rather than changed after deployment
D.Infrastructure that uses only read-only file systems
AnswerC

Immutable infrastructure replaces components instead of modifying them.

Why this answer

Immutable infrastructure means that servers or containers are never modified after deployment; any change requires replacing the resource with a new version.

736
MCQhard

You are an SRE managing a Kubernetes cluster with 200 nodes and 10,000 pods. The cluster runs a critical payment processing application. Users report that transactions are occasionally failing with a 'timeout' error. You have Prometheus and Grafana set up for monitoring, and you use Fluentd with Elasticsearch for logging. You notice that during peak hours, the CPU usage of the payment service pods spikes to 90%, but memory usage remains stable. The pod restart count is low. You also see that the response time of the payment service increases significantly during these spikes. You need to identify the root cause and propose a fix. Which course of action is most appropriate?

A.Add more replicas of the payment service to distribute the load
B.Increase the memory limits for the payment service pods to improve caching
C.Implement a circuit breaker pattern to fail fast and avoid timeouts
D.Increase the CPU limits for the payment service pods to allow more CPU resources during spikes
AnswerD

This directly addresses the CPU bottleneck, reducing response time.

Why this answer

Option D is correct because the CPU usage spikes to 90% during peak hours, indicating that the payment service pods are CPU-bound. Increasing CPU limits allows the pods to burst and utilize more CPU resources, reducing response times and preventing timeouts. This directly addresses the bottleneck without adding unnecessary replicas or changing memory settings.

Exam trap

CNCF often tests the misconception that scaling replicas always solves performance issues, but here the bottleneck is per-pod CPU limits, not overall load distribution.

How to eliminate wrong answers

Option A is wrong because adding more replicas does not solve the root cause of CPU starvation; it may spread the load but each pod still faces the same CPU limit, and the issue is per-pod CPU saturation, not overall cluster capacity. Option B is wrong because memory usage is stable, so increasing memory limits does not address the CPU bottleneck and could waste resources. Option C is wrong because a circuit breaker pattern handles failures gracefully but does not fix the underlying performance issue; it would only mask the timeouts by failing fast, not reduce the actual response time.

737
Multi-Selectmedium

Which TWO statements about Namespaces are correct?

Select 2 answers
A.Namespaces provide a way to divide cluster resources among multiple users
B.Namespaces act as a strong security boundary by default
C.Namespaces help organize objects in a cluster
D.Every resource must be created in a namespace
E.Resources in different namespaces cannot communicate with each other
AnswersA, C

Namespaces enable resource quotas and access control scoping.

Why this answer

Option A is correct because Namespaces in Kubernetes provide a mechanism for partitioning a single cluster into multiple virtual clusters, enabling resource quota management and access control for different users or teams. This allows administrators to divide cluster resources (like CPU, memory, and storage) among multiple users via ResourceQuotas and LimitRanges, without requiring separate physical clusters.

Exam trap

CNCF often tests the misconception that Namespaces provide strong security isolation by default, when in reality they only offer logical separation and require explicit NetworkPolicies and RBAC for security.

738
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To certify individuals in cloud-native technologies
B.To develop and maintain the Kubernetes project exclusively
C.To host and nurture open-source cloud-native projects and drive adoption
D.To provide commercial support for cloud-native software
AnswerC

CNCF's mission is to make cloud-native computing ubiquitous by hosting projects and fostering community.

Why this answer

The CNCF fosters the adoption of cloud-native technologies by hosting and nurturing open-source projects like Kubernetes, Prometheus, and Envoy.

739
MCQmedium

A CI/CD pipeline includes image scanning. What is the primary security benefit of scanning container images in the CI phase?

A.It reduces the time it takes to build images
B.It automatically fixes vulnerabilities
C.It prevents vulnerable images from being deployed to production
D.It ensures that the image is built only once
AnswerC

Scanning early in the pipeline allows teams to fix vulnerabilities before deployment.

Why this answer

Scanning images in CI catches vulnerabilities before the image is deployed, preventing vulnerable images from reaching production.

740
Multi-Selectmedium

Which THREE are benefits of using container orchestration platforms like Kubernetes?

Select 3 answers
A.High availability through automatic container restart and replication
B.Automatic scaling of container replicas based on resource usage
C.Self-healing by replacing failed containers without manual intervention
D.Simplified application development by eliminating the need for code changes
E.Elimination of the need for monitoring and logging
AnswersA, B, C

Orchestrators monitor container health and automatically restart failed containers, ensuring high availability.

Why this answer

Options A, B, and D are correct. Orchestration provides high availability (A), scaling (B), and self-healing (D). Option C is false — orchestration adds complexity, not simplicity.

Option E is false — manual intervention can be reduced, but orchestration does not eliminate the need for management.

741
MCQhard

You are a platform engineer at a fast-growing startup. The company runs a Kubernetes cluster with 50 worker nodes for its production microservices. Recently, the operations team has been struggling with manual configuration drift: developers SSH into nodes to install debugging tools, and some nodes have different kernel parameters or installed packages. This has caused intermittent outages when a pod is scheduled onto a non-standard node. The CTO wants a solution that ensures each node is identical, immutable, and reproducible. The cluster uses kubeadm for bootstrapping and runs on AWS EC2. Which approach best achieves the goal of immutable nodes?

A.Use a configuration management tool like Ansible to enforce desired state on each node via periodic runs.
B.Apply Kubernetes node labels and taints to categorize nodes and prevent workloads from running on non-standard nodes.
C.Create a golden AMI using Packer with all required configurations, then use Auto Scaling groups with a launch template that references the AMI and enable instance refresh for updates.
D.Deploy a DaemonSet that runs a privileged container to enforce node configuration and remove debugging tools.
AnswerC

A golden AMI provides an identical, immutable base. Instance refresh replaces nodes rather than modifying them.

Why this answer

Option C is correct because it uses a golden AMI built with Packer to create identical, immutable nodes that are reproducible via Auto Scaling groups and launch templates. This approach ensures that every EC2 instance launched has the exact same kernel parameters, packages, and configuration, eliminating configuration drift. Instance refresh allows rolling updates to the AMI without manual intervention, aligning with the goal of immutable infrastructure.

Exam trap

The trap here is that candidates often confuse configuration management (Option A) with immutability, not realizing that periodic enforcement still allows drift and does not guarantee identical nodes at all times.

How to eliminate wrong answers

Option A is wrong because configuration management tools like Ansible enforce desired state via periodic runs, which still allows drift between runs and does not achieve true immutability; nodes remain mutable and can deviate. Option B is wrong because node labels and taints only control workload scheduling, they do not enforce node configuration or prevent nodes from being modified via SSH. Option D is wrong because a DaemonSet running a privileged container can attempt to enforce configuration but cannot prevent manual SSH changes or guarantee identical state across nodes, and it introduces security risks without solving the root cause of drift.

742
MCQhard

Which Kubernetes resource is commonly used to implement the sidecar pattern for injecting a service mesh proxy?

A.NetworkPolicy
B.Service
C.MutatingAdmissionWebhook
D.ConfigMap
AnswerC

Service meshes like Istio use a mutating webhook to automatically inject the Envoy sidecar proxy.

Why this answer

Option C is correct because a MutatingAdmissionWebhook intercepts Pod creation requests and automatically injects a sidecar container (e.g., Envoy or Linkerd-proxy) into the Pod spec. This is the standard mechanism used by service mesh control planes like Istio and Linkerd to transparently add the proxy without modifying application manifests.

Exam trap

CNCF often tests the misconception that a Service or NetworkPolicy is responsible for sidecar injection, when in fact only a mutating admission webhook can automatically modify Pod specs at creation time.

How to eliminate wrong answers

Option A is wrong because NetworkPolicy controls ingress/egress traffic at the network layer using labels and CIDR rules, not container injection. Option B is wrong because a Service provides a stable IP and DNS name for Pod discovery and load balancing, not sidecar injection. Option D is wrong because a ConfigMap stores non-sensitive configuration data as key-value pairs or files, but cannot mutate Pod specs at creation time.

743
MCQhard

A Service of type ClusterIP is created for a Deployment, but Pods in other namespaces cannot reach it. What is the most likely cause?

A.NetworkPolicies are blocking cross-namespace traffic
B.The Pods in other namespaces are using the short Service name without the namespace suffix
C.The Service is not publishing the correct port
D.The Service selector does not match the Pod labels
AnswerB

Cross-namespace access requires the full DNS name including the namespace.

Why this answer

The most likely cause is that Pods in other namespaces are using the short Service name (e.g., `my-service`) without appending the namespace suffix (e.g., `my-service.other-namespace.svc.cluster.local`). Kubernetes DNS resolves short names only within the same namespace; cross-namespace resolution requires the fully qualified domain name (FQDN) or at least the `<service>.<namespace>.svc` form. Without this, the DNS lookup fails, making the Service unreachable from other namespaces.

Exam trap

The trap here is that candidates often assume DNS works globally across namespaces with short names, but Kubernetes DNS only resolves short names within the same namespace by default, requiring the namespace suffix for cross-namespace access.

How to eliminate wrong answers

Option A is wrong because NetworkPolicies are not enabled by default and would require explicit configuration to block cross-namespace traffic; the question states Pods 'cannot reach it' without mentioning any NetworkPolicy, so this is not the most likely cause. Option C is wrong because if the Service were not publishing the correct port, it would affect all clients, not just those in other namespaces, and the question specifically isolates the issue to cross-namespace access. Option D is wrong because if the Service selector did not match the Pod labels, the Service would have no endpoints at all, making it unreachable from any namespace, not just from other namespaces.

744
MCQeasy

What is the primary purpose of a Kubernetes Service?

A.To manage container image versions
B.To store configuration data as key-value pairs
C.To provide a stable endpoint for accessing a set of pods
D.To schedule pods onto nodes
AnswerC

A Service exposes a logical set of pods with a stable IP and DNS name, enabling reliable communication.

Why this answer

A Kubernetes Service provides a stable, virtual IP address and DNS name that acts as a consistent endpoint for accessing a set of pods, regardless of pod IP changes due to scaling, restarts, or scheduling. It decouples frontend clients from backend pods by using label selectors to route traffic, ensuring high availability and load balancing across the pod group.

Exam trap

The trap here is that candidates confuse a Service with a Deployment or ReplicaSet, thinking its purpose is to manage pod lifecycle or scaling, rather than understanding it is purely a networking abstraction for stable pod access.

How to eliminate wrong answers

Option A is wrong because managing container image versions is the responsibility of container registries and image tags, not a Service; this is handled by tools like Docker Hub or Kubernetes image pull policies. Option B is wrong because storing configuration data as key-value pairs is the purpose of a ConfigMap or Secret, not a Service; Services handle network abstraction, not configuration storage. Option D is wrong because scheduling pods onto nodes is the job of the Kubernetes Scheduler, which uses resource requests and constraints, not a Service; a Service only routes traffic to already-scheduled pods.

745
Multi-Selecteasy

Which TWO of the following are functions of the kube-controller-manager?

Select 2 answers
A.Managing replication and ensuring the desired number of pods are running
B.Storing cluster state
C.Exposing the Kubernetes API
D.Monitoring node health and responding to node failures
E.Assigning pods to nodes
AnswersA, D

The replication controller ensures the correct number of pod replicas.

Why this answer

The kube-controller-manager runs controller processes that regulate the state of the cluster. The replication controller (part of the controller manager) ensures that the actual number of pod replicas matches the desired count specified in a ReplicaSet or ReplicationController, automatically creating or terminating pods as needed. Additionally, the node controller within the kube-controller-manager periodically checks node health via the Node Lifecycle Controller, which monitors heartbeats (NodeStatus updates) and responds to node failures by tainting the node and evicting pods after a configurable timeout (default 5 minutes).

Exam trap

CNCF often tests the distinction between the kube-controller-manager and the kube-scheduler, so the trap here is that candidates mistakenly think pod-to-node assignment is a controller function, when it is exclusively handled by the scheduler.

746
MCQeasy

Which component runs on every worker node and is responsible for maintaining the lifecycle of pods?

A.container runtime
B.kube-scheduler
C.kubelet
D.kube-proxy
AnswerC

kubelet runs on each node and manages pods and containers.

Why this answer

kubelet is the primary node agent that ensures containers are running as expected in a pod.

747
MCQmedium

A pod is in 'Pending' state for a long time. What is the most likely cause?

A.The pod's container has crashed
B.The pod's service endpoint is misconfigured
C.The scheduler cannot find a node that satisfies the pod's resource requests or constraints
D.The container image is invalid
AnswerC

If no node meets the pod's requirements, the pod remains unscheduled.

Why this answer

A pod remains in 'Pending' state when it has been accepted by the API server but cannot be scheduled onto a node. The most common cause is that the scheduler cannot find a node that meets the pod's resource requests (CPU/memory) or constraints (node selectors, affinity rules, taints/tolerations). Until a suitable node is found, the pod stays in Pending, waiting for scheduling.

Exam trap

CNCF often tests the distinction between scheduling failures (Pending) and runtime failures (CrashLoopBackOff, ImagePullBackOff), so the trap here is confusing a pod that cannot be placed on a node with a pod that fails after it starts running.

How to eliminate wrong answers

Option A is wrong because a container crash (e.g., CrashLoopBackOff) occurs after the pod is scheduled and running, not while it is still in Pending. Option B is wrong because a misconfigured service endpoint (e.g., wrong selector or port) affects network connectivity to the pod, not the pod's scheduling state; the pod would still be scheduled and running. Option D is wrong because an invalid container image (e.g., wrong tag or registry path) causes the pod to fail during container creation after scheduling, resulting in ImagePullBackOff or ErrImagePull, not a prolonged Pending state.

748
MCQhard

In event-driven architecture, which component is responsible for decoupling event producers from consumers?

A.Event broker
B.Event consumer
C.Event producer
D.API gateway
AnswerA

Why this answer

The event broker (e.g., Apache Kafka, RabbitMQ, or AWS EventBridge) acts as an intermediary that receives events from producers and forwards them to consumers. By decoupling the two, the producer does not need to know the consumer's location or status, and the consumer does not need to be actively listening when the event is published. This enables asynchronous, scalable, and fault-tolerant communication in event-driven architectures.

Exam trap

CNCF often tests the distinction between synchronous and asynchronous communication patterns, and the trap here is that candidates mistakenly think an API gateway (which handles synchronous requests) can decouple producers and consumers in an event-driven architecture, when in fact it only routes requests without persistent event storage or asynchronous delivery.

How to eliminate wrong answers

Option B (Event consumer) is wrong because the consumer is the recipient of events, not the component that decouples producers from consumers; it relies on the broker for decoupling. Option C (Event producer) is wrong because the producer generates events but has no built-in mechanism to decouple itself from consumers without an intermediary. Option D (API gateway) is wrong because an API gateway is designed for synchronous request-response patterns (e.g., REST APIs) and does not provide the persistent, asynchronous event buffering and routing that decouples producers from consumers.

749
MCQmedium

An application running in a Kubernetes pod needs to access a database that is deployed on a VM outside the cluster. The database IP is stable. Which is the best way to expose the database to the pod?

A.Expose the database via Ingress
B.Create a Service of type ExternalName pointing to the database hostname
C.Use a Headless Service
D.Create an EndpointSlice manually with the pod IP
AnswerB

ExternalName service provides a DNS alias to an external resource.

Why this answer

Option B is correct because a Service of type ExternalName provides a DNS-based abstraction for external resources, mapping a Kubernetes service name to an external DNS name (the database hostname). This allows the pod to access the database via a stable in-cluster DNS name without needing to manage IP changes or network policies for external endpoints. It is the simplest and most Kubernetes-native way to expose a stable external IP to a pod.

Exam trap

Cisco often tests the misconception that Ingress can handle any external service, but Ingress is strictly for HTTP/HTTPS traffic and cannot expose raw TCP services like databases.

How to eliminate wrong answers

Option A is wrong because Ingress is designed for HTTP/HTTPS traffic routing to internal services, not for exposing external databases (which typically use non-HTTP protocols like TCP). Option C is wrong because a Headless Service is used for stateful applications or service discovery of pod IPs within the cluster, not for pointing to an external resource. Option D is wrong because manually creating an EndpointSlice with the pod IP would require the database to be running as a pod inside the cluster, which contradicts the scenario where the database is on an external VM.

750
Multi-Selecthard

Which THREE are common features of progressive delivery?

Select 3 answers
A.Feature flags to enable/disable features
B.Gradual traffic shifting
C.Automated analysis and rollback
D.All-at-once deployment
E.Manual verification for every change
AnswersA, B, C

Feature flags allow toggling functionality without redeployment.

Why this answer

Progressive delivery uses gradual rollout, feature flags, and analysis to reduce risk.

Page 9

Page 10 of 14

Page 11