Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 976997

997 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

A Kubernetes administrator needs to restrict inbound traffic to a set of pods. Only pods with the label 'app: frontend' in the same namespace should be allowed to reach the pods on TCP port 8080. Which resource should be used?

A.Ingress
B.PodSecurityPolicy
C.ServiceAccount
D.NetworkPolicy
AnswerD

NetworkPolicy defines network access rules between pods.

Why this answer

NetworkPolicy is the correct resource because it is a Kubernetes-native object that defines how groups of pods are allowed to communicate with each other and other network endpoints. By specifying a pod selector matching 'app: frontend' and an ingress rule allowing TCP port 8080, you can restrict inbound traffic to only those pods with that label in the same namespace.

Exam trap

The trap here is that candidates confuse Ingress (external HTTP routing) with NetworkPolicy (internal pod-to-pod traffic control), leading them to choose Ingress when the question explicitly restricts inbound traffic within the same namespace.

How to eliminate wrong answers

Option A is wrong because Ingress is an API object that manages external HTTP/S traffic to services, not pod-to-pod traffic within the cluster. Option B is wrong because PodSecurityPolicy is a cluster-level resource that controls security-sensitive aspects of pod specification (e.g., privilege escalation, host namespaces), not network traffic rules. Option C is wrong because a ServiceAccount provides an identity for processes running in a pod to authenticate to the Kubernetes API server, it does not enforce network-level access controls.

977
Multi-Selecthard

Which THREE of the following are correct statements about Kubernetes Deployments?

Select 3 answers
A.Deployments support canary deployments natively
B.A Deployment manages ReplicaSets
C.A Deployment directly manages Pods
D.The default update strategy is RollingUpdate
E.Deployment supports rolling back to an earlier revision
AnswersB, D, E

Deployment creates and manages ReplicaSets to ensure the desired state.

Why this answer

A Deployment manages ReplicaSets, which in turn manage Pods. This is the core abstraction: the Deployment controller creates and updates ReplicaSets to achieve the desired state, and each ReplicaSet ensures a specified number of Pod replicas are running. This layered architecture enables features like rolling updates and rollbacks without the Deployment directly interacting with individual Pods.

Exam trap

Cisco often tests the misconception that Deployments directly manage Pods, when in fact they manage ReplicaSets, and that canary deployments are a built-in feature of Deployments, whereas they require external traffic management.

978
MCQmedium

Which component in a service mesh is responsible for collecting telemetry data and enforcing traffic policies?

A.Control plane
B.Sidecar proxy (data plane)
C.Certificate authority
D.Service mesh ingress gateway
AnswerB

The sidecar proxy is part of the data plane and performs these functions.

Why this answer

The sidecar proxy (often Envoy) intercepts all traffic and collects metrics, traces, and logs, and also enforces traffic management rules.

979
MCQeasy

Which of the following is a core principle of cloud native architecture as defined by the CNCF?

A.Monolithic design
B.Microservices
C.Single point of failure
D.Manual scaling
AnswerB

Why this answer

Microservices are one of the key architectural principles of cloud native applications.

980
MCQmedium

Which of the following best describes the 12-factor app methodology's approach to configuration?

A.Configuration is hardcoded in the application code
B.Configuration is stored in environment variables
C.Configuration is stored in a database and accessed at runtime
D.Configuration is managed by a configuration server
AnswerB

12-factor apps store config in environment variables for ease of change across deployments.

Why this answer

The 12-factor app methodology states that configuration should be stored in environment variables to separate config from code.

981
MCQhard

According to DORA metrics, which metric measures the percentage of deployments that fail in production?

A.Change Failure Rate
B.Mean Time to Restore (MTTR)
C.Deployment Frequency
D.Lead Time for Changes
AnswerA

Why this answer

Change Failure Rate is the percentage of deployments causing a failure in production. Option A is correct. Option B (Deployment Frequency) measures how often deployments occur.

Option C (Lead Time for Changes) measures time from commit to production. Option D (Mean Time to Restore) measures how long it takes to recover from a failure.

982
Multi-Selecteasy

Which THREE of the following are benefits of using a service mesh in a cloud native architecture?

Select 3 answers
A.Management of application state across services
B.Traffic management capabilities like canary deployments
C.Reduction of container image sizes
D.Improved security through mutual TLS encryption
E.Enhanced observability with metrics and tracing
AnswersB, D, E

Service mesh enables advanced traffic routing and canary releases.

Why this answer

Options A, B, and C are correct. Service mesh provides observability (e.g., metrics, tracing), traffic management (e.g., routing, load balancing), and security (e.g., mTLS). Option D (reducing container image size) is not a benefit of service mesh.

Option E (managing application state) is not a service mesh function; state management is handled by other tools.

983
MCQeasy

Which component of the Kubernetes control plane stores the cluster state?

A.etcd
B.kube-controller-manager
C.kube-scheduler
D.kube-apiserver
AnswerA

etcd is the key-value store for cluster state.

Why this answer

etcd is a distributed key-value store that persists the entire cluster configuration and state.

984
MCQeasy

Which Kubernetes control plane component is responsible for storing the cluster state and configuration data?

A.kube-controller-manager
B.etcd
C.kube-apiserver
D.kube-scheduler
AnswerB

etcd is the key-value store used to persist all cluster data and configuration.

Why this answer

Option D is correct. etcd is a distributed key-value store that holds the cluster state and configuration. kube-apiserver exposes the API, kube-scheduler assigns pods to nodes, and kube-controller-manager runs controllers.

985
Multi-Selectmedium

Which TWO of the following are responsibilities of the kube-controller-manager?

Select 2 answers
A.Assigning pods to nodes based on resource requirements
B.Ensuring the correct number of pod replicas are running
C.Implementing network rules for Services
D.Monitoring node health and responding to node failures
E.Storing the cluster state
AnswersB, D

The Replication Controller ensures the desired number of replicas.

Why this answer

The kube-controller-manager runs controller processes that regulate the state of the cluster. The ReplicaSet controller, which runs inside the kube-controller-manager, is responsible for ensuring that the desired number of pod replicas are running at all times, creating or deleting pods as necessary to match the specified replica count.

Exam trap

The trap here is that candidates often confuse the kube-controller-manager's role in node health monitoring with the kube-scheduler's role in pod placement, or they mistakenly think the controller-manager handles network rules, which is actually done by kube-proxy.

986
Multi-Selectmedium

Which TWO of the following are common characteristics of serverless computing? (Choose two.)

Select 2 answers
A.Auto-scaling to zero when idle
B.Event-driven execution
C.Manual scaling based on predicted load
D.Always-on dedicated servers
E.Long-running stateful processes
AnswersA, B

Idle functions consume no resources.

Why this answer

Event-driven execution and auto-scaling to zero are key serverless characteristics.

987
MCQmedium

A Deployment is configured with 'replicas: 4' and 'strategy.type: RollingUpdate'. You update the container image. What behavior does the Deployment exhibit?

A.The Deployment creates 8 Pods total, 4 old and 4 new
B.All 4 Pods are deleted immediately and then 4 new Pods are created
C.New Pods are created before old ones are terminated, one at a time
D.The update is paused until manually resumed
AnswerC

RollingUpdate replaces Pods incrementally.

Why this answer

With a RollingUpdate strategy, the Deployment controller replaces old Pods with new ones incrementally to ensure zero downtime. By default, it creates new Pods before terminating old ones (maxSurge=25%, maxUnavailable=25%), so one new Pod is created first, then one old Pod is terminated, repeating until all 4 Pods run the new image.

Exam trap

The trap here is that candidates confuse RollingUpdate with Recreate (Option B) or assume all Pods are replaced simultaneously (Option A), failing to recognize the incremental, surge-based behavior controlled by maxSurge and maxUnavailable defaults.

How to eliminate wrong answers

Option A is wrong because a RollingUpdate does not create 8 Pods simultaneously; it creates at most 1 extra Pod (maxSurge=25% of 4 = 1) beyond the desired 4, so the total is 5, not 8. Option B is wrong because deleting all Pods immediately is a Recreate strategy, not RollingUpdate, which would cause downtime. Option D is wrong because the update is not paused; a paused update requires explicitly setting 'paused: true' in the Deployment spec, which is not mentioned in the question.

988
MCQhard

A company defines an SLO that 99.9% of requests to a service should complete in under 200ms. Which metric type is used to measure this SLO?

A.Summary
B.Histogram
C.Gauge
D.Counter
AnswerB

Histograms allow calculating quantiles like p99 latency.

Why this answer

The SLO is based on latency, which is typically measured using a histogram to track request durations.

989
MCQmedium

Your application requires persistent storage that must be available across pod restarts and rescheduling. What is the recommended approach?

A.Store data in the container's writable layer
B.Use hostPath volume
C.Use an emptyDir volume
D.Use a PersistentVolumeClaim (PVC) and mount it into the pod
AnswerD

PVCs provide durable storage that persists beyond pod restarts.

Why this answer

PersistentVolumeClaims (PVCs) request storage from PersistentVolumes (PVs), which are cluster resources that provide durable storage independent of pod lifecycle.

990
MCQmedium

A DevOps team wants to collect and forward logs from all nodes in a Kubernetes cluster to a centralized logging backend. Which component is specifically designed for lightweight log collection and forwarding?

A.Fluent Bit
B.Prometheus
C.Jaeger
D.Grafana
AnswerA

Fluent Bit is lightweight and designed for log collection.

Why this answer

Fluent Bit is a lightweight log processor and forwarder, ideal for Kubernetes nodes.

991
MCQmedium

You want to update a Deployment's container image to v2 and perform a rolling update. Which kubectl command achieves this?

A.kubectl update deployment my-deployment --image=myapp:v2
B.kubectl replace -f updated-deployment.yaml
C.kubectl patch deployment my-deployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"my-container","image":"myapp:v2"}]}}}}'
D.kubectl set image deployment/my-deployment my-container=myapp:v2 --record
AnswerD

Why this answer

Option D is correct because `kubectl set image deployment/my-deployment my-container=myapp:v2 --record` directly updates the container image of a specified container within a Deployment and triggers a rolling update by default. The `--record` flag annotates the change for audit history, which is useful for tracking rollouts. This command is the standard imperative approach for updating container images in Kubernetes Deployments.

Exam trap

CNCF often tests the distinction between imperative commands like `kubectl set image` and declarative approaches like `kubectl apply` or `kubectl replace`, and candidates may mistakenly choose `kubectl patch` or an invalid command like `kubectl update` due to familiarity with other orchestrators or confusion about the correct imperative syntax.

How to eliminate wrong answers

Option A is wrong because `kubectl update` is not a valid kubectl command; the correct imperative command for updating a Deployment's image is `kubectl set image`. Option B is wrong because `kubectl replace -f updated-deployment.yaml` performs a full replacement of the Deployment object, which is a declarative approach that does not inherently trigger a rolling update; it replaces the entire resource definition, potentially causing downtime if not managed carefully. Option C is wrong because while `kubectl patch` can update the container image, it requires a complex JSON patch and does not automatically trigger a rolling update unless the patch modifies the pod template spec; however, it is less straightforward and not the recommended imperative command for this specific task.

992
MCQeasy

Which of the following best describes the purpose of the CNCF (Cloud Native Computing Foundation)?

A.To host and foster open source cloud native projects and promote cloud native technologies
B.To standardize cloud APIs across all public cloud providers
C.To provide certification programs and best practices for cloud native computing
D.To develop and maintain a single cloud native technology stack
AnswerA

The CNCF is a vendor-neutral home for many cloud native projects, fostering their growth and adoption.

Why this answer

The CNCF is a vendor-neutral foundation that hosts and fosters cloud native projects like Kubernetes, Prometheus, and Envoy, promoting cloud native technologies and practices.

993
MCQmedium

A Service of type ClusterIP is created to expose a set of pods. How does the Service achieve load balancing to the pods?

A.The API server routes traffic directly to the pods
B.The kube-proxy component on each node sets up network rules to forward traffic to the pods
C.The kubelet configures the container runtime to route traffic
D.Using a cloud load balancer
AnswerB

kube-proxy handles the implementation of ClusterIP Services.

Why this answer

kube-proxy on each node implements the Service by setting up iptables or IPVS rules to distribute traffic to the endpoints.

994
MCQeasy

A team is deploying a new microservice that processes sensitive user data. They want to ensure that secrets such as database passwords are not exposed in the container image or environment variables. Which approach should they use?

A.Embed the secret directly in the Docker image and use it via environment variables
B.Store the secret in a ConfigMap and reference it in the pod spec
C.Store the secret in a Kubernetes Secret and mount it as a volume in the pod
D.Use a PersistentVolumeClaim to store the secret and mount it into the pod
AnswerC

Secrets are designed for sensitive data; volume mounts reduce exposure.

Why this answer

Option C is correct because Kubernetes Secrets are designed specifically to store sensitive data like database passwords. Mounting the Secret as a volume ensures the secret data is available to the pod as files, without being exposed in environment variables (which can be leaked via logs or `kubectl describe`) or embedded in the container image. This approach follows security best practices for handling sensitive information in cloud-native applications.

Exam trap

CNCF often tests the misconception that ConfigMaps are suitable for secrets because they can store key-value pairs, but the trap is that ConfigMaps store data in plaintext and are not designed for sensitive information, whereas Secrets provide base64 encoding and optional encryption at rest.

How to eliminate wrong answers

Option A is wrong because embedding secrets directly in a Docker image makes them part of the image layers, which can be inspected by anyone with access to the image registry, violating the principle of least privilege. Option B is wrong because ConfigMaps are intended for non-sensitive configuration data; storing secrets in a ConfigMap leaves them unencrypted and accessible via `kubectl get configmap`, which is a security risk. Option D is wrong because PersistentVolumeClaims are used for persistent storage of application data, not for storing secrets; they lack the encryption and access control features provided by Kubernetes Secrets.

995
Multi-Selectmedium

Which two of the following are Kubernetes controllers that run inside the kube-controller-manager? (Select TWO)

Select 2 answers
A.kubelet
B.Replication controller
C.etcd
D.Node controller
E.kube-scheduler
AnswersB, D

Ensures correct number of pod replicas.

Why this answer

Node controller and Replication controller are part of the controller-manager. The scheduler is a separate component. kubelet is a node agent, not a controller.

996
MCQmedium

A pod is in CrashLoopBackOff. You check the logs and see 'Error: container process not found'. What is the most likely cause?

A.The pod has insufficient memory
B.The liveness probe is misconfigured
C.The container's entrypoint or command is incorrect
D.The container image is missing
AnswerC

If the entrypoint doesn't exist or fails, the container exits, causing CrashLoopBackOff.

Why this answer

The container's entrypoint or command may be misconfigured, causing the container to exit immediately.

997
Multi-Selectmedium

Which TWO of the following are valid methods for exposing a Service externally?

Select 2 answers
A.ExternalName
B.Ingress
C.LoadBalancer
D.ClusterIP
E.NodePort
AnswersC, E

LoadBalancer provisions an external load balancer.

Why this answer

Option C (LoadBalancer) is correct because it provisions an external load balancer (e.g., AWS ELB, GCP TCP LB) that assigns a public IP address to the Service, making it accessible from outside the cluster. Option E (NodePort) is correct because it exposes the Service on a static port (30000–32767) on every Node's IP, allowing external traffic to reach the Service via `<NodeIP>:<NodePort>`. Both are valid Service types in Kubernetes for external exposure.

Exam trap

The trap here is that candidates often confuse Ingress as a Service type or think ExternalName provides external access, when in fact Ingress is a separate resource and ExternalName is purely a DNS alias with no proxying or port exposure.

Page 13

Page 14 of 14