Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 751825

997 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selectmedium

Which TWO statements accurately describe the concept of immutable infrastructure in the context of container orchestration? (Select two.)

Select 2 answers
A.Configuration changes can be applied via SSH into the container
B.Container images are versioned and promoted through environments without modification
C.When an update is needed, a new container image is built and deployed, and old containers are destroyed
D.Containers are updated in place by executing commands inside running containers
E.Stateful applications require mutable infrastructure
AnswersB, C

Immutable infrastructure promotes the same image through development, staging, and production without changes, ensuring consistency.

Why this answer

Option B is correct because immutable infrastructure treats container images as immutable artifacts that are versioned and promoted through environments (e.g., dev, staging, prod) without modification. This ensures consistency and reproducibility, as the same image is deployed across all stages without patching or altering it in place.

Exam trap

CNCF often tests the distinction between mutable and immutable patterns by presenting options that describe in-place updates (like SSH or exec commands) as valid, which candidates mistakenly accept if they confuse operational debugging with infrastructure management.

752
MCQeasy

Which kubectl command would you use to view the logs of a specific pod?

A.kubectl logs <pod-name>
B.kubectl exec <pod-name> -- logs
C.kubectl describe pod <pod-name>
D.kubectl get logs <pod-name>
AnswerA

This is the correct command to retrieve pod logs.

Why this answer

The 'kubectl logs' command is used to fetch logs from containers in a pod.

753
MCQeasy

What is the smallest deployable unit in Kubernetes that can be created and managed?

A.Container
B.Pod
C.Service
D.Deployment
AnswerB

Why this answer

The Pod is the smallest and simplest unit in the Kubernetes object model that you can create and manage. It represents a single instance of a running process in the cluster and encapsulates one or more containers, shared storage, and a unique cluster IP. While containers are the runtime units, Kubernetes does not manage containers directly; it manages Pods, which are the atomic scheduling unit.

Exam trap

The trap here is that candidates confuse containers (the runtime process) with Pods (the Kubernetes API object), leading them to pick 'Container' because they think of Docker-style units, but Kubernetes always wraps containers inside Pods as the smallest deployable and manageable entity.

How to eliminate wrong answers

Option A is wrong because a container is not a Kubernetes API object; it is a runtime abstraction managed by the container runtime (e.g., containerd), and Kubernetes schedules and manages Pods, not individual containers. Option C is wrong because a Service is an abstraction that defines a logical set of Pods and a policy to access them; it is not a deployable unit but a networking resource that sits above Pods. Option D is wrong because a Deployment is a higher-level controller that manages ReplicaSets and Pods, providing declarative updates and scaling; it is not the smallest unit but a management layer over Pods.

754
MCQmedium

Which of the following is a container runtime that implements the Container Runtime Interface (CRI)?

A.rkt
B.Docker
C.containerd
D.Hyper-V
AnswerC

containerd is a CRI-compliant runtime used by Kubernetes.

Why this answer

containerd is a core container runtime that implements the CRI and is commonly used in Kubernetes.

755
MCQmedium

You want to run a batch job that processes data and then terminates. Which Kubernetes resource is best suited for this workload?

A.StatefulSet
B.DaemonSet
C.Job
D.Deployment
AnswerC

Why this answer

A Kubernetes Job is designed for batch processing workloads that run to completion and then terminate. Unlike controllers that maintain a desired number of running Pods (like Deployments or StatefulSets), a Job creates one or more Pods and ensures they successfully exit. Once the specified number of successful completions is reached, the Job stops, making it the ideal choice for a one-time data processing task.

Exam trap

CNCF often tests the distinction between controllers that maintain 'desired state' (Deployments, StatefulSets) versus controllers that manage 'completion' (Jobs), and the trap here is that candidates mistakenly choose Deployment for any workload that 'processes data' without recognizing the terminating nature of the task.

How to eliminate wrong answers

Option A is wrong because a StatefulSet is used for stateful applications that require stable, unique network identities and persistent storage (e.g., databases), not for terminating batch jobs. Option B is wrong because a DaemonSet ensures that a copy of a Pod runs on every node (or a subset of nodes) in the cluster, typically for cluster-level services like logging or monitoring, not for one-off tasks. Option D is wrong because a Deployment manages a set of identical Pods with a desired replica count and supports rolling updates, but it is designed for long-running services, not for workloads that should terminate after completion.

756
MCQeasy

What is a primary benefit of using containers over virtual machines?

A.Containers provide stronger isolation than VMs
B.Containers can run any operating system kernel
C.Containers are lightweight and share the host OS kernel
D.Containers require a hypervisor to run
AnswerC

Containers share the host kernel and have minimal overhead, making them lightweight.

Why this answer

Option C is correct because containers virtualize at the operating system level, sharing the host OS kernel while running in isolated user-space instances. This eliminates the need for a full guest OS per workload, making containers significantly more lightweight in terms of memory, disk usage, and startup time compared to virtual machines, which each require a separate kernel and hypervisor.

Exam trap

CNCF often tests the misconception that containers provide stronger isolation than VMs, when in fact VMs offer hardware-enforced isolation via the hypervisor, and containers rely on software-enforced kernel isolation, which is weaker.

How to eliminate wrong answers

Option A is wrong because containers provide weaker isolation than VMs; VMs use a hypervisor to enforce hardware-level isolation between guest kernels, while containers rely on kernel features like namespaces and cgroups, which share the host kernel and have a larger attack surface. Option B is wrong because containers cannot run any operating system kernel; they must use the same kernel as the host OS (e.g., Linux containers on a Linux host), and running a different kernel (e.g., Windows containers on Linux) requires a VM layer. Option D is wrong because containers do not require a hypervisor to run; they run directly on the host OS using container runtime engines like Docker or containerd, whereas VMs require a hypervisor (Type 1 or Type 2) to manage guest operating systems.

757
MCQeasy

What is a key advantage of containers compared to virtual machines?

A.Containers provide stronger isolation than VMs
B.Containers are lightweight and share the host OS kernel
C.Containers include a full guest operating system
D.Containers require hypervisor software to run
AnswerB

This is correct; containers share the kernel, leading to lower overhead.

Why this answer

Containers are lightweight because they share the host operating system kernel, avoiding the overhead of a separate guest OS per instance. Unlike VMs, which each include a full OS and require hypervisor mediation, containers run as isolated user-space processes on the same kernel, enabling faster startup times and higher density. This kernel sharing is the fundamental architectural advantage that makes containers more resource-efficient than virtual machines.

Exam trap

The trap here is that candidates often confuse 'isolation' with 'security' and assume containers are more secure because they are lightweight, but Cisco tests the understanding that VMs provide stronger isolation via separate kernels and hypervisor-enforced boundaries.

How to eliminate wrong answers

Option A is wrong because containers provide weaker isolation than VMs, as they share the host kernel and rely on kernel namespaces and cgroups for separation, whereas VMs use a hypervisor to provide hardware-level isolation with separate kernels. Option C is wrong because containers do not include a full guest operating system; they package only the application and its dependencies, leveraging the host OS kernel. Option D is wrong because containers do not require hypervisor software to run; they run directly on the host OS using the container runtime (e.g., containerd, Docker), while hypervisors are needed for VMs.

758
Multi-Selecthard

Which TWO of the following statements about Kubernetes namespaces are true?

Select 3 answers
A.Services in different namespaces cannot communicate with each other
B.Every Kubernetes object must be created in a namespace
C.Deleting a namespace will delete all objects in it
D.Namespaces can be used to implement resource quotas
E.Namespaces provide a way to divide cluster resources between multiple users
AnswersC, D, E

Deleting a namespace cascades to all resources within it.

Why this answer

Namespaces provide logical isolation and can be used to separate environments, but not all objects are namespaced (e.g., nodes).

759
MCQhard

Which of the following kubectl commands would you use to apply a manifest file and also save it for later updates?

A.kubectl create -f manifest.yaml
B.kubectl patch -f manifest.yaml
C.kubectl replace -f manifest.yaml
D.kubectl apply -f manifest.yaml
AnswerD

Apply is the recommended declarative approach.

Why this answer

The 'kubectl apply' command is used to apply a configuration to a resource by file or stdin. It also supports declarative management, tracking changes for updates.

760
MCQeasy

Which command would you use to view the logs of a specific container in a pod?

A.kubectl logs <pod-name>
B.kubectl logs <container-name>
C.kubectl logs <pod-name> -c <container-name>
D.kubectl describe pod <pod-name>
AnswerC

The -c flag specifies the container name.

Why this answer

kubectl logs with the -c flag allows you to specify a container name when a pod has multiple containers.

761
MCQmedium

A company wants to manage its Kubernetes resources using Git as the single source of truth, with automated synchronization. Which approach should they use?

A.Using Helm charts without version control
B.Infrastructure as Code with Terraform
C.Using kubectl apply -f with a CI/CD pipeline
D.GitOps with ArgoCD or Flux
AnswerD

GitOps uses Git as the source of truth and automatically syncs the cluster state to the desired state in Git.

Why this answer

GitOps is a practice where the entire system state is described declaratively in Git, and automated tools synchronize the cluster to match. ArgoCD and Flux are popular GitOps tools.

762
Multi-Selectmedium

Which TWO are pillars of observability? (Select two.)

Select 2 answers
A.SLIs
B.Alerting
C.Logs
D.Metrics
E.Dashboards
AnswersC, D

Why this answer

Logs and Metrics are two of the three pillars of observability (alongside Traces). Logs provide immutable, timestamped records of discrete events, while Metrics are numeric aggregations of data over time (e.g., Prometheus counters, histograms). Together they form the foundation for understanding system behavior in cloud-native environments.

Exam trap

CNCF often tests the distinction between the pillars of observability (Logs, Metrics, Traces) and the tools or outputs derived from them (e.g., SLIs, Alerting, Dashboards), leading candidates to confuse operational practices with foundational data types.

763
MCQmedium

A team wants to implement a canary deployment strategy for their Kubernetes application. Which tool is specifically designed for progressive delivery and can be used to automate canary rollouts?

A.Argo Rollouts
B.Flux
C.Kustomize
D.Helm
AnswerA

Argo Rollouts is purpose-built for progressive delivery with canary and blue-green deployments.

Why this answer

Argo Rollouts is a Kubernetes controller and set of CRDs that provides advanced deployment capabilities such as blue-green and canary deployments with automated promotion and rollback.

764
MCQmedium

A Deployment named 'nginx' is failing to update. You run 'kubectl rollout status deployment nginx' and see 'Waiting for deployment "nginx" rollout to finish: 0 out of 3 new replicas have been updated...'. The pod template has an image that does not exist. What is the most likely cause?

A.The cluster is out of memory
B.The deployment has exceeded the revision history limit
C.The deployment is paused
D.The new image tag is incorrect or does not exist in the registry
AnswerD

Non-existent image leads to ImagePullBackOff, preventing new replicas from becoming ready.

Why this answer

Option D is correct because the rollout status shows that no new replicas have been created, which is a classic symptom of a container image pull failure. When the image tag specified in the pod template does not exist in the registry, the kubelet cannot pull the image, so the ReplicaSet controller cannot start new pods. This prevents the rollout from progressing past 0 out of 3 new replicas.

Exam trap

The trap here is that candidates may confuse a stuck rollout with resource constraints (memory/CPU) or assume the deployment is paused, but the specific status message '0 out of 3 new replicas have been updated' directly points to an image pull failure, not a scheduling or pause issue.

How to eliminate wrong answers

Option A is wrong because a cluster out-of-memory condition would typically cause pods to be in a Pending state with 'Insufficient memory' events, not a stuck rollout with 0 new replicas; the scheduler would fail to place pods, but the image pull issue is unrelated to memory. Option B is wrong because exceeding the revision history limit (default 10) only affects the number of old ReplicaSets retained, not the ability to create new replicas; the rollout would still proceed and create new pods. Option C is wrong because a paused deployment would show a different status message, such as 'deployment "nginx" paused', and the rollout status command would not report 'Waiting for deployment... rollout to finish'; paused deployments do not attempt to create new replicas at all.

765
MCQmedium

You create a Pod with the following YAML. What will happen when you apply it?

A.The Pod will fail to create because memory and CPU are in the wrong unit
B.The Pod will be created with memory limit of 128Mi and CPU limit of 500m
C.The Pod will be created without resource limits because the syntax is incorrect
D.The Pod will be created but requests and limits will be ignored because they are not valid for Pods
AnswerB

The YAML correctly specifies limits and requests.

Why this answer

Option B is correct because the YAML defines resource limits and requests using standard Kubernetes units: '128Mi' for memory (mebibytes) and '500m' for CPU (millicores). These are valid and will be applied to the container, creating the Pod with the specified limits.

Exam trap

CNCF often tests the misconception that resource units like '128Mi' or '500m' are invalid or that resource limits are not applicable to Pods, when in fact they are standard and correctly applied to containers.

How to eliminate wrong answers

Option A is wrong because '128Mi' and '500m' are correct Kubernetes resource units (Mi = mebibytes, m = millicores), not invalid. Option C is wrong because the syntax is correct; resource limits are defined under 'resources.limits' and will be applied. Option D is wrong because resource limits and requests are valid for containers within a Pod, and they are not ignored; they are enforced by the kubelet.

766
MCQmedium

A user wants to view the logs from a container named 'app' inside a multi-container pod named 'web'. Which kubectl command should be used?

A.kubectl logs web -c app
B.kubectl logs app web
C.kubectl logs web --container=app
D.kubectl logs web app
AnswerA, C

This is the correct command to view logs from a specific container.

Why this answer

The -c flag specifies the container name when a pod has multiple containers.

767
MCQmedium

A developer wants to deploy a stateful application that requires stable network identities and persistent storage per pod instance. Which Kubernetes resource is most appropriate?

A.DaemonSet
B.Job
C.Deployment
D.StatefulSet
AnswerD

StatefulSets provide ordered, unique pod names and persistent storage per replica.

Why this answer

StatefulSet is the correct choice because it is specifically designed for stateful applications that require stable, unique network identities (via headless Services and ordinal hostnames) and persistent storage per pod instance (via PersistentVolumeClaims that are not shared across replicas). Unlike Deployments, StatefulSet maintains a sticky identity for each pod, ensuring that on rescheduling, the pod retains its name, network identity, and bound storage.

Exam trap

CNCF often tests the misconception that a Deployment with PersistentVolumeClaims is sufficient for stateful workloads, but the trap is that Deployments do not guarantee stable network identities or ordered pod naming, which are critical for applications like databases that rely on hostname-based clustering.

How to eliminate wrong answers

Option A (DaemonSet) is wrong because it ensures exactly one pod runs on each node, which is ideal for node-level agents (e.g., log collectors, monitoring daemons), not for stateful applications needing stable identities and per-instance storage. Option B (Job) is wrong because it is designed for batch or one-off tasks that run to completion, not for long-running stateful services that require persistent storage and stable network identities. Option C (Deployment) is wrong because it treats pods as ephemeral and interchangeable; while it supports persistent storage via PersistentVolumeClaims, it does not guarantee stable network identities or ordered pod naming, so a rescheduled pod gets a new name and IP, breaking stateful expectations.

768
MCQmedium

What is the primary purpose of a service mesh in a cloud-native architecture?

A.To compile application code
B.To provide a dedicated infrastructure layer for handling service-to-service communication
C.To replace container orchestration
D.To store application configuration
AnswerB

The service mesh adds a layer of proxies to manage communication securely and reliably.

Why this answer

A service mesh provides observability, traffic management, and security for microservices communication, offloading these concerns from application code.

769
MCQmedium

A user wants to ensure that a pod is automatically restarted if its main process crashes. Which Kubernetes controller should they use?

A.Deployment
B.Job
C.DaemonSet
D.CronJob
AnswerA

Deployments maintain desired pod count and restart failed pods via ReplicaSet.

Why this answer

A Deployment is the correct controller because it manages a ReplicaSet, which ensures a specified number of pod replicas are running at all times. If the main process in a pod crashes, the ReplicaSet detects the pod failure (via the kubelet's liveness probe or the pod's phase becoming 'Failed') and automatically creates a new pod to replace it, thereby restarting the application. This self-healing behavior is a core feature of Deployments, making them ideal for stateless applications that need continuous availability.

Exam trap

CNCF often tests the misconception that a 'restart' means the same pod is reused, but in Kubernetes, a Deployment (via ReplicaSet) creates a completely new pod, while the 'restartPolicy' field only controls container restarts within the same pod — the trap is confusing pod-level restart (ReplicaSet replacement) with container-level restart (kubelet action).

How to eliminate wrong answers

Option B (Job) is wrong because a Job is designed to run a finite task to completion; it does not automatically restart pods if the main process crashes — instead, it may create a new pod only if the Job's restart policy is set to 'OnFailure', but the Job itself is not intended for long-running, always-on services. Option C (DaemonSet) is wrong because it ensures that a copy of a pod runs on every node (or a subset of nodes), but its primary purpose is node-level services (e.g., logging, monitoring), not automatic restart of a crashed main process in a general-purpose application; while DaemonSets do use a controller that recreates pods on failure, the question asks for a controller that ensures restart for a single application, and DaemonSet is node-scoped, not workload-scoped. Option D (CronJob) is wrong because it runs Jobs on a scheduled basis; it does not provide continuous pod restart — it only creates Jobs at specified times, and the underlying Job's behavior applies, but the CronJob itself does not monitor or restart crashed pods between scheduled runs.

770
MCQhard

You have a multi-container pod with containers 'app' and 'sidecar'. You need to execute a shell command inside the 'sidecar' container. Which kubectl command should you use?

A.kubectl exec -it mypod -- /bin/sh
B.kubectl exec -it sidecar --container mypod -- /bin/sh
C.kubectl exec -it mypod --container sidecar -- /bin/sh
D.kubectl exec -it mypod -c sidecar -- /bin/sh
AnswerD

The -c flag specifies the container to exec into.

Why this answer

Option D is correct because `kubectl exec` uses the `-c` flag (or `--container`) to specify a target container within a multi-container pod. The syntax `kubectl exec -it mypod -c sidecar -- /bin/sh` opens an interactive shell in the 'sidecar' container of the pod named 'mypod'. Without the `-c` flag, the command defaults to the first container in the pod's spec, which would be 'app'.

Exam trap

CNCF often tests the misconception that `kubectl exec` defaults to the first container or that the container flag is optional, leading candidates to pick option A, which would execute in the wrong container.

How to eliminate wrong answers

Option A is wrong because it omits the `-c` flag, so the shell executes in the first container (typically 'app') rather than 'sidecar'. Option B is wrong because it incorrectly places `--container mypod` as a value for the container flag; the flag expects a container name, not a pod name, and the pod name should follow `exec`. Option C is wrong because it uses `--container sidecar` after the pod name, which is syntactically valid but not the standard short form; however, the primary issue is that the order of arguments is non-standard and could cause confusion, but the real trap is that `--container` is a valid alternative to `-c`, so this option is actually correct in function but not the preferred or most common syntax; however, for the KCNA exam, the `-c` flag is the standard and expected answer, and option C uses the long form `--container` which is also acceptable but less concise.

The question asks 'Which kubectl command should you use?' and D is the most direct and standard form.

771
MCQeasy

Which Kubernetes object provides stable network endpoints and load balancing for a set of pods?

A.Deployment
B.ConfigMap
C.Service
D.Pod
AnswerC

Service provides a stable endpoint and load balancing for pods.

Why this answer

A Service provides a stable IP and DNS name, and load balances traffic across pods selected by labels.

772
MCQeasy

What is the primary purpose of Kubernetes?

A.To replace Docker as a container runtime
B.To provide a graphical user interface for managing containers
C.To automate deployment, scaling, and operations of application containers across clusters
D.To provide a virtual machine management platform
AnswerC

This is the core purpose of Kubernetes.

Why this answer

Kubernetes is a container orchestration platform that automates deployment, scaling, and management of containerized applications.

773
MCQmedium

In Flux CD, which component is responsible for reconciling the cluster state with the source of truth defined in a Git repository?

A.Kustomize controller
B.Source controller
C.Helm controller
D.Notification controller
AnswerB

The source controller watches Git repositories and other sources for changes.

Why this answer

The source controller fetches artifacts (e.g., from Git, Helm repos) and the kustomize controller applies manifests, but the reconciliation of desired state from Git is primarily managed by the source controller and kustomize controller working together. However, the source controller is the one that monitors sources.

774
Multi-Selecteasy

Which TWO of the following are examples of Infrastructure as Code (IaC) tools? (Choose two.)

Select 2 answers
A.Docker
B.Terraform
C.Kubernetes
D.Prometheus
E.Pulumi
AnswersB, E

Terraform is an IaC tool by HashiCorp.

Why this answer

Terraform (B) is an Infrastructure as Code (IaC) tool that uses declarative configuration files (HashiCorp Configuration Language, HCL) to define and provision cloud and on-premises resources. It manages the full lifecycle of infrastructure through a state file and provider plugins, enabling version-controlled, repeatable deployments.

Exam trap

CNCF often tests the distinction between containerization/orchestration tools (Docker, Kubernetes) and actual IaC tools, leading candidates to confuse tools that manage applications with those that provision infrastructure.

775
MCQeasy

What is the Container Runtime Interface (CRI)?

A.A plugin interface that allows kubelet to use a variety of container runtimes
B.A specification for container images
C.A registry for storing container images
D.A command-line tool for managing containers
AnswerA

CRI enables kubelet to communicate with runtimes.

Why this answer

The Container Runtime Interface (CRI) is a plugin interface that enables the kubelet to communicate with different container runtimes (e.g., containerd, CRI-O) without needing to know their internal implementation details. It defines a gRPC-based protocol for managing container lifecycles, image operations, and pod sandboxes, allowing Kubernetes to remain runtime-agnostic.

Exam trap

CNCF often tests whether candidates confuse CRI with the OCI runtime spec or with container image formats, so the trap is assuming CRI defines image structure rather than the runtime-kubelet interface.

How to eliminate wrong answers

Option B is wrong because container images are defined by the OCI Image Specification, not by CRI. Option C is wrong because registries (like Docker Hub or Harbor) are storage systems for images, not an interface for runtime integration. Option D is wrong because command-line tools (e.g., crictl) may use CRI under the hood, but CRI itself is an API, not a CLI tool.

776
MCQmedium

A developer runs 'helm upgrade --install myapp ./mychart' and sees the release status is 'failed'. What is the most likely cause?

A.The chart contains invalid Kubernetes manifests
B.The Tiller pod is not running
C.The Helm binary is outdated
D.The namespace does not exist
AnswerA

Invalid manifests cause the API server to reject them, failing the release.

Why this answer

A failed Helm upgrade usually means the Kubernetes API rejected the manifests (e.g., invalid YAML, resource conflict).

777
Multi-Selecthard

Which THREE of the following are valid reasons to use a StatefulSet instead of a Deployment? (Select 3)

Select 3 answers
A.You only need a single instance of the application
B.You need stable, unique network identifiers (e.g., pod hostnames) that persist across reschedules
C.You need each pod to have its own persistent storage that is not shared
D.You need to deploy a stateless web application with multiple replicas
E.You need ordered, graceful deployment and scaling (e.g., pod-0 starts before pod-1)
AnswersB, C, E

StatefulSets provide stable network identities (e.g., pod-0, pod-1) that are maintained across rescheduling.

Why this answer

StatefulSets provide stable, unique network identifiers (e.g., pod hostnames) that persist across reschedules because each pod gets a fixed ordinal index (e.g., pod-0, pod-1) and a corresponding DNS name (e.g., pod-0.statefulset.namespace.svc.cluster.local). This is essential for applications like databases (e.g., Cassandra, ZooKeeper) that rely on consistent peer discovery and identity, which Deployments cannot guarantee since they assign random pod names and IPs.

Exam trap

CNCF often tests the misconception that StatefulSets are only for persistent storage, but the trap here is that candidates overlook the requirement for stable network identities and ordered operations, which are equally critical and distinct from storage needs.

778
MCQmedium

Which open-source project provides a unified standard for collecting and exporting telemetry data (metrics, logs, and traces) from applications?

A.Prometheus
B.OpenTelemetry
C.Jaeger
D.Fluentd
AnswerB

Correct. OpenTelemetry is a unified standard for metrics, logs, and traces.

Why this answer

OpenTelemetry (OTel) is the industry standard for observability data collection and export, providing vendor-agnostic instrumentation.

779
MCQmedium

Which of the following is true about Kubernetes Namespaces?

A.Namespaces can help organize and manage resources in a cluster
B.Resource names must be unique across all namespaces
C.Namespaces provide network isolation between resources
D.You must create a namespace before creating any resources
AnswerA

Namespaces are used to divide cluster resources between multiple users/teams.

Why this answer

Namespaces provide a mechanism for isolating groups of resources within a single cluster, but they do not provide network isolation by default (that requires NetworkPolicies).

780
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Deployment
B.Pod
C.Container
D.Node
AnswerB

A Pod is the smallest deployable unit that can be created and managed in Kubernetes.

Why this answer

The Pod is the smallest deployable unit in Kubernetes because it represents a single instance of a running process in the cluster and encapsulates one or more containers with shared storage and network resources. While containers are the runtime units, Kubernetes schedules and manages Pods, not individual containers, making the Pod the atomic building block for deployment.

Exam trap

CNCF often tests the misconception that a container is the smallest deployable unit because containers are the runtime entities, but Kubernetes abstracts them into Pods for scheduling and resource sharing, so candidates who confuse 'runtime unit' with 'deployable unit' will incorrectly select Container.

How to eliminate wrong answers

Option A is wrong because a Deployment is a higher-level abstraction that manages ReplicaSets and Pods, not the smallest deployable unit itself. Option C is wrong because a Container is the runtime process inside a Pod, but Kubernetes cannot schedule or manage a container directly without a Pod wrapper. Option D is wrong because a Node is a worker machine in the cluster that hosts Pods, not a deployable unit — you deploy Pods onto Nodes, not Nodes themselves.

781
MCQeasy

Which command is used to create a Deployment that runs an nginx container with 3 replicas?

A.kubectl create pod nginx --image=nginx --replicas=3
B.kubectl run nginx --image=nginx --replicas=3
C.kubectl create deployment nginx --image=nginx --replicas=3
D.kubectl scale deployment nginx --replicas=3
AnswerC

This command creates a Deployment named nginx with the specified image and replicas.

Why this answer

The correct command uses 'kubectl create deployment' with the --image and --replicas flags.

782
MCQmedium

A team wants to minimize downtime during a Deployment rollout. Which strategy ensures that new pods are created before old pods are terminated?

A.Set strategy type to 'Recreate'.
B.Set strategy type to 'RollingUpdate' with maxSurge=0, maxUnavailable=1.
C.Set strategy type to 'RollingUpdate' with maxSurge=1, maxUnavailable=0.
D.Set strategy type to 'RollingUpdate' with maxSurge=1, maxUnavailable=1.
AnswerC

New pods are created first, ensuring zero downtime.

Why this answer

Option C is correct because setting `maxSurge=1` and `maxUnavailable=0` in a RollingUpdate strategy ensures that one additional pod is created above the desired replica count before any existing pod is terminated. This guarantees zero downtime by maintaining full capacity during the rollout, as new pods become ready before old ones are removed.

Exam trap

The trap here is that candidates often confuse `maxSurge` and `maxUnavailable` values, mistakenly thinking that allowing both a surge and an unavailable pod (option D) is safer, when in fact it can still cause a temporary capacity drop if the new pod is not ready before the old one is terminated.

How to eliminate wrong answers

Option A is wrong because the 'Recreate' strategy terminates all old pods before creating new ones, causing downtime. Option B is wrong because `maxSurge=0, maxUnavailable=1` terminates one old pod before creating a new one, which can cause a temporary capacity deficit and potential downtime. Option D is wrong because `maxSurge=1, maxUnavailable=1` allows both a new pod to be created and an old pod to be terminated simultaneously, which may still result in a brief capacity drop if the new pod is not ready before the old one is removed.

783
MCQeasy

What is a key benefit of container orchestration platforms like Kubernetes?

A.Containers are tightly coupled to the underlying hardware
B.Each container runs its own operating system kernel
C.Containers can only run on a single host
D.Self-healing capabilities automatically restart failed containers
AnswerD

Orchestration platforms automatically restart failed containers, improving reliability.

Why this answer

Option C is correct. Container orchestration automates deployment, scaling, and management. A key benefit is self-healing—containers that fail are automatically restarted.

Option A is incorrect because containers share the host OS kernel, they do not have their own kernel. Option B is incorrect because containers run on a single host by default; orchestration manages multiple hosts. Option D is incorrect because containers are not tied to specific hardware.

784
MCQeasy

What is the primary purpose of Kubernetes?

A.To provide a graphical user interface for managing containers
B.To replace Docker as a container runtime
C.To automate deployment, scaling, and management of containerized applications
D.To compile source code into container images
AnswerC

This is the core purpose of Kubernetes.

Why this answer

Kubernetes is a container orchestration platform used to automate the deployment, scaling, and management of containerized applications.

785
Multi-Selectmedium

Which THREE of the following are valid use cases for distributed tracing in a microservices architecture?

Select 3 answers
A.Monitoring CPU and memory usage of each service instance
B.Understanding the dependency graph between microservices
C.Pinpointing the root cause of an error in a distributed transaction
D.Identifying which service contributes the most latency to an end-user request
E.Capturing detailed error messages and stack traces
AnswersB, C, D

Traces reveal service call relationships.

Why this answer

Distributed tracing is designed to track the flow of a single request across multiple microservices, recording timing and causality. Option B is correct because tracing systems like Jaeger or Zipkin automatically build a dependency graph by analyzing the parent-child relationships between spans, which reveals how services interact. This is a core use case for understanding service topology and identifying bottlenecks in a distributed system.

Exam trap

Cisco often tests the distinction between observability pillars (metrics, logs, traces) and expects candidates to recognize that distributed tracing is not a catch-all for monitoring or logging tasks, so the trap is confusing request-level tracing with infrastructure metrics or detailed error logging.

786
MCQeasy

What is a key benefit of using containers over virtual machines for application deployment?

A.Containers can only run on Linux
B.Containers require a hypervisor to run
C.Containers provide stronger isolation than VMs
D.Containers are more lightweight and start faster than VMs
AnswerD

Containers share the host OS kernel and do not need to boot a guest OS, leading to faster startup times and lower overhead.

Why this answer

Containers share the host OS kernel and run as isolated processes, requiring no separate guest OS per instance. This makes them significantly more lightweight and faster to start than VMs, which must boot a full guest OS. For application deployment, this translates to higher density, lower resource overhead, and near-instant startup times.

Exam trap

The trap here is that candidates often confuse 'stronger isolation' with 'better security' and pick Option C, not realizing that VMs actually provide stronger isolation due to separate kernels and hardware virtualization, while containers are designed for lightweight efficiency, not maximum isolation.

How to eliminate wrong answers

Option A is wrong because containers are not limited to Linux; Windows containers run on Windows Server and Docker Desktop supports both Linux and Windows containers via appropriate runtimes. Option B is wrong because containers do not require a hypervisor; they run directly on the host OS using kernel features like cgroups and namespaces, whereas VMs require a hypervisor to virtualize hardware. Option C is wrong because VMs provide stronger isolation than containers; each VM has its own separate kernel and hardware virtualization, while containers share the host kernel, making isolation weaker by design.

787
MCQmedium

Which command retrieves logs from a specific container named 'sidecar' in a multi-container pod?

A.kubectl logs pod-name sidecar
B.kubectl logs pod-name --container sidecar
C.kubectl logs pod-name -c sidecar
D.kubectl logs sidecar pod-name
AnswerC

Correct syntax for specifying a container.

Why this answer

The -c flag specifies the container name.

788
Multi-Selectmedium

Which three of the following are valid methods to create or update resources in Kubernetes? (Choose three.)

Select 3 answers
A.kubectl apply -f manifest.yaml
B.kubectl update -f manifest.yaml
C.kubectl replace -f manifest.yaml
D.kubectl create -f manifest.yaml
E.Using the Kubernetes REST API directly
AnswersA, D, E

apply creates/updates resources declaratively.

Why this answer

kubectl apply and kubectl create are used to create/update resources by declarative or imperative approach. Direct API calls also work. kubectl update does not exist.

789
Multi-Selecthard

Which THREE of the following are resiliency patterns commonly used in cloud native applications? (Choose three.)

Select 3 answers
A.Retry
B.Timeout
C.Singleton pattern
D.Circuit breaker
E.Round-robin load balancing
AnswersA, B, D

Retrying failed operations can handle transient failures.

Why this answer

The Retry pattern is a fundamental resiliency mechanism in cloud-native applications. When a transient failure occurs (e.g., a network timeout or a temporary database unavailability), the application automatically reattempts the failed operation. This pattern is often implemented with exponential backoff and jitter to avoid overwhelming the downstream service, as seen in libraries like Netflix Hystrix or Kubernetes client-go retry logic.

Exam trap

CNCF often tests the distinction between design patterns (like Singleton) and cloud-native resiliency patterns (like Retry, Timeout, Circuit Breaker), so candidates mistakenly select Singleton because it is a well-known pattern, but it does not address fault tolerance or failure recovery.

790
MCQmedium

Which kubectl command is used to apply a manifest file to create or update resources?

A.kubectl update -f manifest.yaml
B.kubectl run -f manifest.yaml
C.kubectl apply -f manifest.yaml
D.kubectl create -f manifest.yaml
AnswerC

This is the correct declarative command.

Why this answer

'kubectl apply' uses a declarative approach to create or update resources defined in a file.

791
Multi-Selecthard

Which THREE of the following are benefits of using a container orchestration platform like Kubernetes? (Select three.)

Select 3 answers
A.Built-in image building and registry
B.Declarative management: specify desired state and let the system converge
C.Faster application startup times
D.Automatic scaling of applications based on demand
E.Self-healing: automatic restart of failed containers
AnswersB, D, E

Kubernetes uses a declarative model where you define the desired state and controllers work to achieve it.

Why this answer

Kubernetes provides self-healing (restart failed containers), scaling (automatic horizontal scaling), and declarative management (desired state reconciliation). Option A is a benefit of containers themselves, not orchestration; Option E is a feature of container runtimes.

792
MCQeasy

Which CNCF project provides a graduated service mesh implementation that includes features like traffic management, security, and observability?

A.Linkerd
B.Consul
C.Envoy
D.Istio
AnswerD

Istio is a graduated CNCF project that provides a complete service mesh.

Why this answer

Istio is a graduated CNCF project that provides a service mesh with features like traffic management, security (mTLS), and observability. Linkerd is also a service mesh but is incubating. Envoy is a proxy, not a full service mesh.

Consul is not a CNCF project.

793
MCQhard

A user creates a Pod with a PersistentVolumeClaim (PVC) that requests 5Gi of storage. The cluster has two PersistentVolumes (PVs): PV1 (3Gi, AccessModes: ReadWriteOnce) and PV2 (10Gi, AccessModes: ReadOnlyMany). The PVC specifies storageClassName: "" and AccessModes: ReadWriteOnce. Which PV will bind to the PVC?

A.PV2 will bind because it has sufficient capacity.
B.Neither PV will bind; the PVC will remain pending.
C.PV1 will bind because it has matching AccessModes.
D.Both PVs will bind to satisfy the request.
AnswerB

No PV satisfies both capacity and access mode requirements.

Why this answer

The PVC requests ReadWriteOnce, so PV2 (ReadOnlyMany) does not match. PV1 matches AccessModes and storageClassName is empty (implies no storage class), but PV1's capacity (3Gi) is less than the request (5Gi). No PV matches, so the PVC remains unbound.

794
MCQeasy

Which component is responsible for running containers on a Kubernetes node?

A.kube-controller-manager
B.kube-proxy
C.kube-apiserver
D.kubelet
AnswerD

The kubelet runs on each node and manages pod lifecycles, including starting containers via the container runtime.

Why this answer

The kubelet is the primary node agent that runs on each Kubernetes node. It is responsible for ensuring that containers are running in a Pod as expected, by interacting with the container runtime (e.g., containerd or CRI-O) to start, stop, and monitor containers based on PodSpecs received from the API server.

Exam trap

The trap here is that candidates often confuse kubelet with kube-controller-manager, thinking the controller manager handles node-level container operations, but the kubelet is the only component that directly manages containers on the node.

How to eliminate wrong answers

Option A is wrong because the kube-controller-manager runs controller processes (like Node Controller, Replication Controller) at the control plane level, not on worker nodes, and does not directly manage containers. Option B is wrong because kube-proxy is a network proxy that handles network rules and service load balancing on each node, but it does not run or manage containers. Option C is wrong because kube-apiserver is the front-end of the Kubernetes control plane that exposes the Kubernetes API; it validates and processes RESTful requests but does not execute container lifecycle operations on nodes.

795
MCQmedium

Which command is used to view the logs of a pod named 'web-pod'?

A.kubectl logs web-pod
B.kubectl describe pod web-pod
C.kubectl get logs web-pod
D.kubectl exec web-pod -- logs
AnswerA

kubectl logs retrieves container logs.

Why this answer

kubectl logs <pod-name> fetches the standard output/error logs from the pod's containers.

796
MCQhard

In a serverless architecture using Knative, what happens to a service that has not received traffic for an extended period?

A.It throws an error and must be redeployed
B.It continues running with one replica to reduce cold start latency
C.It scales down to zero replicas and is reactivated on the next request
D.It is automatically deleted
AnswerC

Knative supports auto-scaling to zero for idle services.

Why this answer

Knative scales to zero when idle, meaning no pods are running, thus no cost incurred.

797
MCQmedium

You are writing a Deployment YAML (apps/v1) for a stateless web application. The application should have 3 replicas and use rolling updates with maxSurge=1 and maxUnavailable=0. Which field should you set under spec.strategy?

A.type: Recreate
B.type: Canary
C.type: OnDelete
D.type: RollingUpdate with rollingUpdate: { maxSurge: 1, maxUnavailable: 0 }
AnswerD

This matches the requirement.

Why this answer

Option D is correct because the Deployment's `spec.strategy.type` must be set to `RollingUpdate` to enable a controlled, incremental update of pods. The `rollingUpdate` field then allows you to specify `maxSurge: 1` (one extra pod above the desired count during update) and `maxUnavailable: 0` (ensure all existing pods remain available during the update), which is the exact configuration for a zero-downtime rolling update with a single surge pod.

Exam trap

CNCF often tests the misconception that `maxSurge` and `maxUnavailable` are top-level fields under `spec.strategy`, when in fact they must be nested inside `rollingUpdate` and the `type` must explicitly be set to `RollingUpdate`.

How to eliminate wrong answers

Option A is wrong because `type: Recreate` terminates all existing pods before creating new ones, which violates the requirement for a rolling update with `maxSurge` and `maxUnavailable` settings. Option B is wrong because `Canary` is not a valid Deployment strategy type in the `apps/v1` API; it is a separate deployment pattern often implemented via service mesh or progressive delivery tools, not a native Kubernetes Deployment field. Option C is wrong because `OnDelete` is a strategy type used by StatefulSets (not Deployments) and only triggers pod replacement when a pod is manually deleted, which does not support automated rolling updates or the specified surge/unavailable parameters.

798
MCQeasy

Which kubectl command can be used to view detailed information about a specific pod, including its current state, events, and resource usage?

A.kubectl describe pod <pod-name>
B.kubectl logs <pod-name>
C.kubectl exec <pod-name> -- /bin/sh
D.kubectl get pod <pod-name> -o yaml
AnswerA

The describe command gives a comprehensive overview including status, conditions, and events.

Why this answer

'kubectl describe pod <pod-name>' provides detailed information about a pod, including events, state, and configuration.

799
MCQeasy

What does SLA stand for in the context of service reliability?

A.Service Level Agreement
B.Service Level Indicator
C.Service Level Availability
D.Service Level Objective
AnswerA

Correct.

Why this answer

SLA stands for Service Level Agreement, a contract specifying expected service level.

800
MCQhard

An application running in a Kubernetes cluster needs to securely access a third-party API. The API key must be stored in the cluster and mounted into the Pod as an environment variable. Which is the best practice?

A.Create a Secret with the API key and use envFrom or valueFrom in the Pod spec.
B.Store the API key in a ConfigMap and reference it in the Pod spec.
C.Embed the API key directly in the container image.
D.Store the API key in a Pod annotation and read it with kubectl.
AnswerA

Secrets are designed for confidential data and can be injected as environment variables.

Why this answer

Option C is correct: Secrets should be used for sensitive data like API keys. They are base64 encoded and can be mounted as env vars. Option A is wrong because ConfigMaps are for non-sensitive data.

Option B is wrong because storing secrets in plaintext in the image is insecure. Option D is wrong because storing secrets in annotations is not designed for that purpose and is insecure.

801
MCQhard

You have a pod that is scheduled on a node with insufficient memory. The pod's manifest does not have a memory limit, but the node is under memory pressure. What is likely to happen to the pod?

A.The pod will continue running normally because it has no limit
B.The pod will be evicted and rescheduled on a different node
C.The pod will be terminated with a 'CrashLoopBackOff' status
D.The pod will be terminated with a 'OOMKilled' status
AnswerD

OOMKilled occurs when a container is killed by the kernel due to memory exhaustion.

Why this answer

If a pod has no memory limit, it can use as much memory as needed. When the node is under memory pressure, the kernel's OOM killer may target the pod, leading to OOMKilled.

802
Multi-Selecthard

Which THREE of the following are true about Kubernetes labels and selectors?

Select 3 answers
A.Labels are encrypted at rest by default
B.Set-based selectors support operators like 'In' and 'NotIn'
C.Selectors can be used by Services to identify which pods to route traffic to
D.Labels are immutable after creation
E.Labels can be used to organize and select subsets of objects
AnswersB, C, E

Set-based selectors support 'In', 'NotIn', 'Exists', and 'DoesNotExist'.

Why this answer

Option B is correct because Kubernetes set-based selectors support operators like 'In', 'NotIn', 'Exists', and 'DoesNotExist', allowing more flexible matching than equality-based selectors. This is defined in the Kubernetes API specification for label selectors, enabling complex filtering of resources.

Exam trap

CNCF often tests the misconception that labels are immutable like certain other Kubernetes fields, but labels are explicitly designed to be mutable for dynamic resource management.

803
MCQmedium

You need to run a batch job that processes data every hour and exits upon completion. Which Kubernetes resource should you use?

A.Deployment
B.Job
C.DaemonSet
D.CronJob
AnswerB

A Job runs a pod until successful completion.

Why this answer

A Job is the correct Kubernetes resource because it is designed to run a finite task to completion, such as a batch job that processes data every hour and then exits. Unlike a Deployment, which maintains a desired number of continuously running Pods, a Job ensures that a specified number of Pods successfully terminate, making it ideal for one-off or scheduled batch workloads.

Exam trap

CNCF often tests the distinction between a CronJob (the scheduler) and a Job (the actual workload), so candidates mistakenly choose CronJob because the question mentions 'every hour', but the resource that runs and exits is the Job, not the CronJob.

How to eliminate wrong answers

Option A is wrong because a Deployment is intended for long-running, stateless applications that should never exit; it continuously restarts Pods to maintain a desired replica count, which would cause the batch job to run repeatedly rather than exit upon completion. Option C is wrong because a DaemonSet ensures that a copy of a Pod runs on every node (or a subset of nodes) in the cluster, typically for cluster-level services like logging or monitoring, not for a batch job that runs once per hour and exits. Option D is wrong because a CronJob is used to schedule Jobs on a recurring basis (e.g., every hour), but the question specifies that the batch job 'processes data every hour and exits upon completion' — the resource that actually runs and exits is a Job, while the CronJob is the scheduler that creates the Job; the question asks for the resource that runs the workload, not the scheduler.

804
Multi-Selecthard

Which THREE of the following are features typically provided by a service mesh? (Choose three.)

Select 3 answers
A.Observability through metrics and tracing
B.Auto-scaling of pods based on CPU
C.Traffic management between services
D.Security with mutual TLS (mTLS)
E.Service discovery
AnswersA, C, D

Service mesh collects telemetry data for monitoring.

Why this answer

Service mesh provides traffic management (routing, canary releases), observability (metrics, tracing), and security (mTLS, authorization). Auto-scaling is handled by Horizontal Pod Autoscaler or custom metrics, not by the service mesh. Service discovery is often built into Kubernetes itself, though service mesh can enhance it, but it's not a core feature.

805
MCQhard

An administrator needs to ensure that Pods from two different Deployments cannot communicate with each other. Which Kubernetes resource should be used?

A.NetworkPolicy
B.RBAC Role
C.PodSecurityPolicy
D.ResourceQuota
AnswerA

NetworkPolicy defines ingress/egress rules for pod communication.

Why this answer

NetworkPolicy is the correct resource because it acts as a firewall for Kubernetes Pods, controlling ingress and egress traffic at the IP address and port level using layer 3/4 rules. By applying a NetworkPolicy that denies all traffic between the Pods of the two Deployments (e.g., using podSelector and ingress/egress rules with an empty `from` or `to` block), the administrator can enforce network isolation. This is the native Kubernetes mechanism for restricting Pod-to-Pod communication within a cluster.

Exam trap

The trap here is that candidates confuse NetworkPolicy with RBAC or PodSecurityPolicy, mistakenly thinking that authorization or security contexts can control network traffic, when in fact only NetworkPolicy (with a compatible CNI) provides layer 3/4 isolation.

How to eliminate wrong answers

Option B (RBAC Role) is wrong because RBAC controls authorization for Kubernetes API operations (e.g., creating Pods, reading Secrets) and does not manage network traffic between Pods. Option C (PodSecurityPolicy) is wrong because it defines security constraints on Pods (e.g., privileged containers, host namespaces) but has no effect on network communication between Pods. Option D (ResourceQuota) is wrong because it limits aggregate resource consumption (CPU, memory, storage) per namespace and cannot restrict network connectivity between Pods.

806
MCQmedium

Which Kubernetes object provides a stable IP address and DNS name to access a set of pods, and can perform load balancing?

A.Service
B.Ingress
C.Deployment
D.Pod
AnswerA

Services provide stable IP and DNS, and load balance traffic to selected pods.

Why this answer

A Service of type ClusterIP (default) provides a stable endpoint and load balancing across pods matching its selector.

807
Multi-Selectmedium

Which TWO of the following are valid ways to expose a set of pods as a network service in Kubernetes?

Select 2 answers
A.Service of type NodePort
B.NetworkPolicy
C.Service of type ClusterIP
D.Ingress resource
E.Deployment with replicas
AnswersA, C

NodePort exposes the service on each node's IP at a static port.

Why this answer

A Service of type NodePort exposes a set of pods on a static port on each node's IP address, making the service accessible from outside the cluster. This is a valid Kubernetes resource for exposing pods as a network service, as it creates a mapping from a node port to the ClusterIP and then to the target pods.

Exam trap

Cisco often tests the misconception that Ingress or NetworkPolicy can directly expose pods as a network service, but Ingress requires a Service backend and NetworkPolicy only controls traffic, not exposure.

808
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Node
B.Container
C.Deployment
D.Pod
AnswerD

A Pod is the atomic unit of scheduling in Kubernetes.

Why this answer

A Pod is the smallest and simplest unit that can be created and managed in Kubernetes.

809
MCQmedium

A team is implementing a multi-cloud strategy to avoid vendor lock-in. Which Kubernetes feature is most helpful for abstracting the underlying cloud provider?

A.Services
B.ConfigMaps
C.Namespaces
D.Kubernetes API
AnswerD

The API abstracts infrastructure differences.

Why this answer

The Kubernetes API server provides a consistent interface regardless of the underlying infrastructure. Namespaces organize resources, Services provide networking abstractions, and ConfigMaps store configuration.

810
MCQmedium

Two pods, 'app-v1' and 'app-v2', both have a label 'app: myapp'. A Service 'my-service' has a selector 'app: myapp'. How many endpoints will the Service initially have?

A.2
B.1
C.0
D.Depends on pod readiness
AnswerA

Both pods have the label 'app: myapp', so both are selected and become endpoints.

Why this answer

Option A is correct because the Service's selector 'app: myapp' matches both pods 'app-v1' and 'app-v2', which both carry the label 'app: myapp'. The Service controller automatically creates endpoints for all pods matching the selector, regardless of their readiness state, unless a headless service or custom endpoint logic is involved. Initially, both pods are considered ready by default (unless a readiness probe fails), so the Service will have two endpoints.

Exam trap

The trap here is that candidates often confuse the initial endpoint count with the number of ready pods, but Kubernetes creates endpoints for all matching pods immediately, and readiness only affects traffic routing, not the endpoint count itself.

How to eliminate wrong answers

Option B is wrong because it assumes only one pod matches the selector, but both pods have the label 'app: myapp', so both are selected. Option C is wrong because it suggests no endpoints are created, but the Service controller immediately creates endpoints for all matching pods; zero endpoints would only occur if no pods matched the selector. Option D is wrong because pod readiness does not affect the initial creation of endpoints; endpoints are created for all matching pods, and readiness only affects whether traffic is routed to them (via the endpoints controller removing unready pods from the endpoint list).

811
MCQmedium

A DevOps team wants to adopt a deployment pattern where a new version of an application is gradually rolled out to a small subset of users before full deployment. Which progressive delivery technique should they use?

A.Canary deployment
B.Rolling update
C.Blue-green deployment
D.Recreate deployment
AnswerA

Canary releases a new version to a small subset of users, monitoring before full rollout.

Why this answer

Canary deployment releases the new version to a small percentage of users initially, then gradually increases traffic.

812
MCQmedium

A team notices that a pod remains in 'CrashLoopBackOff' state after deployment. The application logs show 'Error: unable to bind to port 8080'. What is the most likely cause?

A.The pod's resource limits are too low.
B.An environment variable has a typo in the Deployment spec.
C.The readiness probe is misconfigured.
D.The container's port is already in use on the host node.
AnswerD

Correct; port conflict prevents binding, causing container to exit.

Why this answer

The error 'unable to bind to port 8080' indicates that the container process cannot open port 8080 for listening. The most likely cause is that another process on the host node is already using port 8080, preventing the container from binding to it. This is a classic port conflict scenario, where the host's network namespace has a port already allocated, and the container (even with its own network namespace) may be using host networking or the port is mapped from the host.

Exam trap

Cisco often tests the misconception that a 'CrashLoopBackOff' with a port bind error is caused by resource limits or probe misconfiguration, when in reality it points to a network-level port conflict on the host node.

How to eliminate wrong answers

Option A is wrong because resource limits being too low would cause the pod to be OOMKilled or throttled, not a bind error on a specific port. Option B is wrong because a typo in an environment variable would cause the application to misread configuration, but the error message explicitly states a port binding failure, not a missing or incorrect variable. Option C is wrong because a misconfigured readiness probe would cause the pod to be marked as not ready and removed from service endpoints, but the pod would still start and run; the error here occurs at container startup before any probe can fail.

813
Multi-Selecthard

Which TWO of the following are best practices for structuring log output in cloud-native applications to maximize observability?

Select 2 answers
A.Include verbose debug-level information in every log line
B.Use multi-line log entries for detailed error information
C.Output logs in structured format such as JSON
D.Include a unique request or correlation ID in each log entry
E.Avoid timestamps to reduce log size
AnswersC, D

Structured logs are machine-parseable and easily ingested by log aggregators.

Why this answer

Option C is correct because structured logging (e.g., JSON) enables automated parsing, filtering, and querying by log aggregation tools like Fluentd, Logstash, or cloud-native observability backends (e.g., Elasticsearch, Loki). This format ensures each log entry has consistent key-value pairs, making it machine-readable and facilitating correlation across distributed services without manual text parsing.

Exam trap

CNCF often tests the misconception that 'more detail is better' (Option A) or that 'human readability' (Option B) is the priority, when in cloud-native observability, machine-parseable, single-line structured logs are the standard for scalability and automation.

814
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Pod
B.Node
C.Container
D.Deployment
AnswerA

A Pod is the smallest deployable unit that can be created, scheduled, and managed.

Why this answer

A Pod is the smallest deployable unit in Kubernetes because it encapsulates one or more containers that share the same network namespace, storage volumes, and lifecycle. While containers are the runtime processes, Kubernetes schedules and manages Pods as atomic units, meaning you cannot deploy a container directly without a Pod wrapper.

Exam trap

The trap here is that candidates confuse 'container' as the smallest unit because Docker popularized container-centric thinking, but Kubernetes abstracts containers into Pods as the fundamental scheduling and deployment boundary.

How to eliminate wrong answers

Option B is wrong because a Node is a worker machine (physical or virtual) that hosts Pods, not a deployable unit itself; you deploy Pods onto Nodes. Option C is wrong because a Container is the runtime process inside a Pod, but Kubernetes does not schedule containers individually—they must be part of a Pod. Option D is wrong because a Deployment is a higher-level controller that manages the desired state of ReplicaSets and Pods, but the smallest unit it directly operates on is still the Pod.

815
MCQmedium

A retail company runs its e-commerce platform on Kubernetes. During a flash sale, the application experiences high latency. The team notices that the database pods are CPU-bound and the application pods are waiting on database responses. Which architectural change would best address this bottleneck?

A.Change the database service type from ClusterIP to NodePort.
B.Implement read replicas for the database and configure the application to use them for read operations.
C.Increase the number of application pod replicas.
D.Store database configuration in a ConfigMap to improve startup time.
AnswerB

Read replicas distribute the read load, reducing CPU pressure on the primary database.

Why this answer

The bottleneck is caused by the database being CPU-bound, meaning it cannot process requests fast enough. Implementing read replicas offloads read queries from the primary database, reducing its CPU load and allowing it to handle write operations more efficiently. The application can be configured to route read operations to the replicas, which directly addresses the latency caused by waiting on database responses.

Exam trap

CNCF often tests the misconception that scaling application pods (Option C) is a universal fix for performance issues, but here it would amplify the database bottleneck rather than resolve it.

How to eliminate wrong answers

Option A is wrong because changing the service type from ClusterIP to NodePort exposes the database externally but does nothing to reduce its CPU load or improve query processing speed. Option C is wrong because increasing application pod replicas would only increase the number of requests hitting the already CPU-bound database, worsening the bottleneck. Option D is wrong because storing database configuration in a ConfigMap improves manageability and startup time but has no impact on runtime database CPU utilization or query latency.

816
Matchingmedium

Match each Kubernetes scheduler concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Constraints that attract pods to nodes based on node labels

Mechanism to repel pods from nodes unless they tolerate the taint

Minimum amount of CPU/memory guaranteed to a container

Maximum amount of CPU/memory a container can use

Indicates importance of a pod relative to others for preemption

Why these pairings

These concepts control how pods are scheduled and allocated resources.

817
MCQhard

You need to ensure that a pod runs on a node with SSD storage. How can you achieve this?

A.Use nodeSelector with a label that matches nodes having SSDs
B.Use a taint on nodes without SSDs and a toleration on the pod
C.Use pod anti-affinity to avoid nodes without SSDs
D.Use node affinity with requiredDuringSchedulingIgnoredDuringExecution
AnswerD

Node affinity allows you to specify hard or soft constraints. Using requiredDuringSchedulingIgnoredDuringExecution ensures the pod is only scheduled on nodes with the specified label.

Why this answer

Node affinity is a set of rules used by the scheduler to determine which nodes a pod can be placed on. Labels on nodes can be used to indicate hardware characteristics like SSD storage.

818
MCQeasy

A pod is stuck in 'Pending' state. 'kubectl describe pod' shows '0/4 nodes are available: 4 node(s) had taint {node.kubernetes.io/unreachable: }, that the pod didn't tolerate.' What is the most likely cause?

A.All nodes have disk pressure.
B.All nodes are unreachable or have been cordoned.
C.The pod has a toleration that matches the taint.
D.The nodes do not have enough CPU or memory.
AnswerB

The taint indicates nodes are unreachable.

Why this answer

The taint `node.kubernetes.io/unreachable` is automatically added by the node controller when a node becomes unreachable (e.g., network failure, kubelet stops heartbeating). The error shows all 4 nodes have this taint and the pod has no matching toleration, meaning the scheduler cannot place the pod. This directly indicates all nodes are unreachable or have been cordoned (which also adds the `node.kubernetes.io/unschedulable` taint, but here the specific taint is `unreachable`).

Exam trap

Cisco often tests the distinction between taint types — candidates confuse `unreachable` with resource-based taints like `disk-pressure` or `insufficient-memory`, or assume a toleration would solve the issue when the problem is that no toleration exists.

How to eliminate wrong answers

Option A is wrong because disk pressure is indicated by the taint `node.kubernetes.io/disk-pressure`, not `node.kubernetes.io/unreachable`. Option C is wrong because if the pod had a toleration matching the taint, it would be scheduled despite the taint, but the error explicitly states the pod didn't tolerate it. Option D is wrong because insufficient CPU or memory would show taints like `node.kubernetes.io/insufficient-cpu` or `node.kubernetes.io/insufficient-memory`, not the `unreachable` taint.

819
MCQmedium

Which Kubernetes object should you use to store non-sensitive configuration data that can be consumed by Pods as environment variables or mounted files?

A.Secret
B.PersistentVolume
C.ConfigMap
D.Service
AnswerC

ConfigMap is used to store non-confidential configuration data in key-value pairs.

Why this answer

ConfigMap is the correct Kubernetes object for storing non-sensitive configuration data, such as key-value pairs or configuration files. It is designed to decouple configuration artifacts from container images, allowing Pods to consume this data as environment variables, command-line arguments, or mounted files in a volume. Unlike Secrets, ConfigMaps do not provide encryption or base64 encoding by default, making them suitable only for non-sensitive information.

Exam trap

The trap here is that candidates often confuse ConfigMaps with Secrets, assuming both are interchangeable for configuration, but Cisco tests the distinction that Secrets are for sensitive data and ConfigMaps are for non-sensitive data, and that PersistentVolume is for storage, not configuration.

How to eliminate wrong answers

Option A is wrong because Secret is specifically designed for storing sensitive data (e.g., passwords, tokens, SSH keys) and uses base64 encoding with optional encryption at rest, not for non-sensitive configuration. Option B is wrong because PersistentVolume is an abstraction for storage resources (e.g., NFS, iSCSI) that provides persistent storage volumes to Pods, not for storing configuration data as environment variables or files. Option D is wrong because Service is a networking abstraction that exposes a set of Pods as a network service (e.g., ClusterIP, NodePort), and it cannot store or provide configuration data to Pods.

820
MCQmedium

A developer wants to view the logs of a specific container named 'sidecar' inside a pod named 'app-pod'. Which command should they use?

A.kubectl log app-pod --container sidecar
B.kubectl logs app-pod sidecar
C.kubectl logs -c sidecar app-pod
D.kubectl logs app-pod -c sidecar
AnswerD

This command correctly uses the -c flag to select the container.

Why this answer

The -c flag specifies the container name. The correct command is 'kubectl logs app-pod -c sidecar'.

821
MCQhard

A pod is stuck in the 'Pending' state. Which command would you use to get more details about why the pod cannot be scheduled?

A.kubectl logs <pod-name>
B.kubectl exec -it <pod-name> -- sh
C.kubectl describe pod <pod-name>
D.kubectl get pod <pod-name> -o yaml
AnswerC

Describe shows events and status that indicate scheduling issues.

Why this answer

'kubectl describe pod <pod-name>' shows events and conditions that explain why the pod is pending, such as resource shortages or node selector mismatches.

822
MCQmedium

A pod is stuck in 'Pending' state. Which of the following is a likely cause?

A.The pod's command returned a non-zero exit code
B.The container image is invalid
C.Insufficient CPU or memory resources on any available node
D.The pod's liveness probe failed
AnswerC

If no node can satisfy the pod's resource requests, the scheduler leaves it Pending.

Why this answer

Pending means the scheduler cannot place the pod. Insufficient resources on nodes is a common cause. Option D is correct.

823
MCQmedium

A Deployment named 'web-app' is configured with replicas: 3. You update the container image. Which Kubernetes object directly manages the pods during the rolling update?

A.StatefulSet
B.DaemonSet
C.Job
D.ReplicaSet
AnswerD

Deployment manages ReplicaSets, which in turn manage pods.

Why this answer

The Deployment creates a new ReplicaSet for the new version and scales it up while scaling down the old ReplicaSet. Pods are managed by ReplicaSets, not by the Deployment directly.

824
MCQeasy

Which kubectl command is used to see the logs of a container in a pod?

A.kubectl attach <pod-name>
B.kubectl logs <pod-name>
C.kubectl exec <pod-name> -- cat /var/log/app.log
D.kubectl describe pod <pod-name>
AnswerB

Correct command.

Why this answer

kubectl logs <pod-name> retrieves logs from the container. If the pod has multiple containers, you use -c to specify.

825
MCQhard

A developer reports that a Pod cannot reach another Service in the same namespace via its DNS name. The Service name is 'api'. What is the correct DNS query for a Pod to resolve this Service?

A.api.svc.cluster.local
B.api.namespace.svc.cluster.local
C.api
D.api.default.svc.cluster.local
AnswerC

Within the same namespace, the short name works.

Why this answer

Option C is correct because when a Pod and a Service are in the same namespace, Kubernetes DNS resolves the Service using just the Service name (e.g., 'api'). The DNS search domain configured in the Pod's resolv.conf (e.g., <namespace>.svc.cluster.local) appends the namespace and cluster suffix automatically, so a short query like 'api' resolves correctly without needing the full FQDN.

Exam trap

The trap here is that candidates often assume the full FQDN (e.g., 'api.svc.cluster.local') is always required, forgetting that DNS search domains in the Pod's resolv.conf enable short-name resolution within the same namespace.

How to eliminate wrong answers

Option A is wrong because 'api.svc.cluster.local' omits the namespace, which is required in the full DNS name; the correct FQDN for a cross-namespace query would be 'api.<namespace>.svc.cluster.local'. Option B is wrong because it includes 'namespace' as a literal string instead of the actual namespace name (e.g., 'default'), making it invalid unless the namespace is literally named 'namespace'. Option D is wrong because it assumes the namespace is 'default', which is not guaranteed; the Pod and Service could be in any namespace, and the short name 'api' works only within the same namespace.

Page 10

Page 11 of 14

Page 12