Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 76150

997 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQmedium

A Pod has been in 'Pending' state for an unusual amount of time. Which of the following is a likely cause?

A.The container image is invalid
B.The Pod's liveness probe is failing
C.The cluster does not have enough resources to schedule the Pod
D.The Service pointing to the Pod is misconfigured
AnswerC

Pending often means the scheduler cannot find a node with sufficient resources.

Why this answer

Pending state indicates the Pod has not been scheduled. Insufficient cluster resources (CPU/memory) is a common reason.

77
MCQmedium

Which resource type provides a stable IP address and DNS name to access a set of Pods, regardless of Pod IP changes?

A.Ingress
B.ConfigMap
C.Deployment
D.Service
AnswerD

Services provide stable networking for Pods.

Why this answer

A Service provides a stable endpoint (IP and DNS) that load-balances traffic to a set of pods selected by labels.

78
Multi-Selectmedium

Which TWO statements about Kubernetes Services are correct?

Select 2 answers
A.A Service can only route traffic to Pods in the same namespace
B.A Service can only be of type ClusterIP
C.A Service automatically scales Pods based on load
D.A Service provides a stable IP address for Pods
E.A Service uses selectors to identify target Pods
AnswersD, E

Services have a virtual IP that remains stable even as Pods change.

Why this answer

Option D is correct because a Kubernetes Service provides a stable virtual IP address that remains constant even as the underlying Pods are created, destroyed, or rescheduled. This decouples clients from the ephemeral nature of Pod IPs, ensuring reliable connectivity within the cluster.

Exam trap

The trap here is that candidates often confuse the Service's role in providing a stable IP with the idea that it also handles scaling, or they mistakenly think Services are restricted to a single namespace or type, when in fact they are flexible across namespaces and types.

79
MCQmedium

A user runs 'kubectl get pods -n production' and sees no output. What is the most likely reason?

A.The kube-apiserver is down
B.There are no pods in the 'production' namespace
C.The user does not have permissions to list pods
D.The namespace does not exist
AnswerB

If the namespace exists but has no pods, the command returns no output.

Why this answer

If no pods exist in the namespace, kubectl returns no output (no resources found).

80
MCQhard

You have a Pod with a container that runs a web server. The Pod has a memory request of 256Mi and a memory limit of 512Mi. The container attempts to allocate 600Mi of memory. What happens?

A.The memory limit is automatically increased to 600Mi
B.The container is killed by the OOM killer, and the Pod enters CrashLoopBackOff
C.The Pod is evicted from the node
D.The container is allowed to use up to 600Mi because the limit is a soft constraint
AnswerB

Exceeding the memory limit triggers OOM kill; the container restarts and may crash again.

Why this answer

When a container exceeds its memory limit, the kernel OOM killer terminates the container. The container may be restarted by the kubelet depending on the restart policy.

81
Multi-Selecthard

Which THREE of the following are valid fields in a Kubernetes Deployment spec (apps/v1)?

Select 3 answers
A.replicas
B.template
C.selector
D.containers
E.nodeName
AnswersA, B, C

Specifies the desired number of pods.

Why this answer

Option A is correct because the `replicas` field is a standard part of the Deployment spec under `apps/v1`, defining the desired number of Pod replicas. Option B is correct because the `template` field is mandatory, containing the Pod template that describes the Pods to be created. Option C is correct because the `selector` field is required to match the Pods managed by the Deployment, ensuring the ReplicaSet controls the correct Pods.

Exam trap

CNCF often tests the distinction between fields that belong to the Deployment spec versus fields that belong to the Pod spec, so candidates mistakenly select `containers` or `nodeName` as top-level Deployment fields.

82
MCQmedium

You want to expose a set of pods running a web application on port 80 internally within the cluster, with a stable IP address, so that other services can reach them. Which Kubernetes resource should you create?

A.Service (ClusterIP)
B.Ingress
C.Deployment
D.Pod
AnswerA

A Service provides a stable IP and load-balances traffic to pods.

Why this answer

A Service of type ClusterIP provides a stable internal IP and DNS name for a set of pods.

83
Drag & Dropmedium

Drag and drop the steps to scale a Kubernetes Deployment horizontally into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Scale command, check pods, verify deployment, monitor rollout, and adjust resources if needed.

84
MCQeasy

What is the primary purpose of Kubernetes?

A.To compile source code
B.To orchestrate containers across a cluster
C.To run virtual machines
D.To manage physical servers
AnswerB

Kubernetes automates the deployment, scaling, and management of containerized applications.

Why this answer

Kubernetes is a container orchestration platform designed to automate the deployment, scaling, and management of containerized applications across a cluster of nodes. Its primary purpose is to abstract the underlying infrastructure and provide a declarative way to run and manage containers, ensuring desired state and self-healing. This directly corresponds to orchestrating containers across a cluster, not compiling code, running VMs, or managing physical servers.

Exam trap

CNCF often tests the misconception that Kubernetes is a general-purpose infrastructure manager, but the trap here is confusing container orchestration with VM management or physical server administration, leading candidates to pick Option C or D.

How to eliminate wrong answers

Option A is wrong because Kubernetes does not compile source code; compilation is handled by build tools like Docker or language-specific compilers, while Kubernetes only runs the resulting container images. Option C is wrong because Kubernetes is designed for containers, not virtual machines; it can orchestrate VMs via providers like KubeVirt, but that is a specialized extension, not its primary purpose. Option D is wrong because Kubernetes abstracts physical servers into a cluster and manages container workloads, not the physical hardware itself; hardware management is the role of infrastructure tools like IPMI or provisioning systems.

85
Multi-Selectmedium

Which TWO of the following are valid Prometheus metric types?

Select 2 answers
A.Quantile
B.Counter
C.Timer
D.Meter
E.Gauge
AnswersB, E

Correct. A cumulative metric that only increases.

Why this answer

Prometheus supports counter, gauge, histogram, and summary. Options A and D are valid; B (timer) and C (quantile) are not; E (meter) is from OpenTelemetry.

86
MCQeasy

Which kubectl command would you use to view detailed information about a specific pod, including events and container status?

A.kubectl explain pod
B.kubectl get pod <pod-name>
C.kubectl logs pod <pod-name>
D.kubectl describe pod <pod-name>
AnswerD

This command provides a detailed description of the pod including events and container statuses.

Why this answer

Option D is correct because `kubectl describe pod <pod-name>` provides a comprehensive view of a pod's metadata, spec, status, conditions, container resource usage, and a chronological list of events (e.g., scheduling, pulling images, container restarts). This command aggregates information from the Kubernetes API server, including the pod's current state and lifecycle events, which is essential for debugging pod failures or unexpected behavior.

Exam trap

CNCF often tests the distinction between `kubectl get` (summary) and `kubectl describe` (detailed with events), expecting candidates to know that only `describe` surfaces the event stream and container state transitions needed for troubleshooting.

How to eliminate wrong answers

Option A is wrong because `kubectl explain pod` only displays the API documentation for the Pod resource schema (fields and descriptions), not runtime details or events about a specific pod instance. Option B is wrong because `kubectl get pod <pod-name>` outputs a concise summary (name, status, restarts, age) but omits detailed container status, conditions, and events. Option C is wrong because `kubectl logs pod <pod-name>` retrieves only the stdout/stderr output from the pod's containers, not the pod's metadata, status, or Kubernetes events.

87
MCQhard

A Service of type ClusterIP has been created, but pods in the same namespace cannot reach it by its DNS name. The Service selector matches the pods. What is a likely cause?

A.The Service YAML does not specify a port
B.The kube-dns or CoreDNS pod is not running
C.The Service is not exposed on a node port
D.The pods are using an incorrect container runtime
AnswerB

DNS resolution is provided by CoreDNS; if it is down, DNS names cannot be resolved.

Why this answer

CoreDNS provides DNS service discovery for Services. If it is not running or misconfigured, DNS resolution will fail.

88
MCQhard

You need to run a one-time batch job that processes data and then exits. The job should run to completion and not be restarted. Which Kubernetes resource should you use?

A.DaemonSet
B.Job
C.Deployment
D.StatefulSet
AnswerB

Jobs are designed for batch processing and run to completion.

Why this answer

A Kubernetes Job is designed for one-time batch processing tasks that run to completion and are not restarted. It creates one or more Pods and ensures they successfully terminate, making it the correct choice for a non-repeating, finite workload.

Exam trap

CNCF often tests the distinction between a Job and a CronJob, where candidates might mistakenly choose a CronJob for a one-time task, or confuse a Job's restart behavior with that of a Deployment's rolling update.

How to eliminate wrong answers

Option A is wrong because a DaemonSet ensures that a copy of a Pod runs on all (or a subset of) nodes, typically for long-running services like log collectors or monitoring agents, not for one-time batch jobs. Option C is wrong because a Deployment manages a set of identical Pods to maintain a desired replica count for long-running, stateless applications, and it will restart Pods if they exit, which contradicts the requirement that the job should not be restarted. Option D is wrong because a StatefulSet is used for stateful applications that require stable, unique network identities and persistent storage, such as databases, and is not intended for ephemeral batch processing.

89
MCQmedium

In OpenTelemetry, which component is responsible for receiving, processing, and exporting telemetry data from multiple sources?

A.OpenTelemetry Collector
B.OpenTelemetry SDK
C.OpenTelemetry Exporter
D.OpenTelemetry API
AnswerA

The Collector is a pipeline component for receiving, processing, and exporting data.

Why this answer

The OpenTelemetry Collector is a vendor-agnostic agent that receives, processes, and exports telemetry data.

90
Multi-Selecteasy

Which two commands are valid for viewing information about pods in a namespace named 'production'?

Select 2 answers
A.kubectl logs pods -n production
B.kubectl get pods -n production
C.kubectl get all -n production
D.kubectl run pod --image=nginx -n production
E.kubectl describe pod <pod-name> -n production
AnswersB, E

Correct.

Why this answer

kubectl get pods and kubectl describe pod are standard commands.

91
MCQhard

Which of the following is a resiliency pattern that limits the number of concurrent requests to a service to prevent overload?

A.Retry
B.Timeout
C.Bulkhead
D.Circuit breaker
AnswerC

Bulkhead pattern isolates different parts of a system into separate pools to prevent failure propagation and limit concurrency.

Why this answer

Bulkhead isolates resources into pools (e.g., thread pools) so that a failure in one pool does not cascade. Circuit breaker stops calls after failures, retry repeats failed calls, and timeout limits wait time.

92
MCQhard

In Prometheus, what is the purpose of the Alertmanager component?

A.To scrape metrics from targets
B.To provide a graphical dashboard for metrics
C.To manage, group, and route alerts to notification channels like email or Slack
D.To store historical metrics data long-term
AnswerC

Correct. Alertmanager handles alert processing and notifications.

Why this answer

Alertmanager handles alerts sent by Prometheus server, deduplicates, groups, and routes them to receivers (email, Slack, etc.), and manages silencing and inhibition.

93
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Delete and recreate the pod to clear the crash loop
C.Increase the memory limit in the pod's container resource specification
D.Delete the namespace and redeploy all workloads
AnswerC

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The OOMKilled status indicates the container was terminated because it exceeded its memory limit. Increasing the memory limit in the pod's container resource specification directly addresses the root cause by allowing the container to use more memory before being killed. This is the most appropriate action because the pod was running successfully for days, suggesting a gradual memory growth or a recent workload change rather than a configuration error.

Exam trap

CNCF often tests the misconception that OOMKilled is a CPU issue, leading candidates to incorrectly choose CPU adjustments, or that simply restarting the pod will fix the underlying resource constraint.

How to eliminate wrong answers

Option A is wrong because increasing the CPU request does not affect memory usage; OOMKilled is a memory-related issue, not CPU. Option B is wrong because deleting and recreating the pod would only temporarily restart the container; the same memory limit would still be enforced, and the pod would likely crash again. Option D is wrong because deleting the entire namespace and redeploying all workloads is an extreme, disruptive action that does not address the specific memory limit issue and would cause unnecessary downtime.

94
Multi-Selecthard

Which three components are part of the Kubernetes control plane?

Select 3 answers
A.kube-controller-manager
B.kube-proxy
C.kube-scheduler
D.kube-apiserver
E.kubelet
AnswersA, C, D

Correct.

Why this answer

The control plane consists of kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy run on nodes.

95
Multi-Selectmedium

Which TWO of the following are benefits of container orchestration?

Select 2 answers
A.Ability to run containers without a kernel
B.Manual scaling of containers
C.High availability through self-healing
D.Automated scaling based on demand
E.Simplified network configuration for each container
AnswersC, D

Orchestrators automatically restart failed containers.

Why this answer

Container orchestration provides high availability (self-healing, automated restarts) and scaling (automatically adjusting replicas based on load).

96
MCQmedium

A developer wants to run a containerized application locally for development. Which tool is most appropriate?

A.CRI-O
B.Docker Compose
C.containerd
D.Kubernetes
AnswerB

Ideal for local development with multi-container apps.

Why this answer

Docker Compose is the most appropriate tool for running a containerized application locally during development because it allows you to define and manage multi-container applications using a simple YAML file. It handles container lifecycle, networking, and volume mounts with a single `docker compose up` command, making it ideal for local development workflows where rapid iteration and simplicity are key.

Exam trap

The trap here is that candidates confuse container runtimes (CRI-O, containerd) or orchestration platforms (Kubernetes) with development tools, assuming any container-related technology can run apps locally, but the KCNA exam specifically tests the understanding that Docker Compose is the standard for local multi-container development.

How to eliminate wrong answers

Option A (CRI-O) is wrong because it is a lightweight container runtime designed for Kubernetes, not a tool for local development; it lacks the developer-friendly features like `docker compose up` and is typically used in production clusters. Option C (containerd) is wrong because it is a low-level container runtime that manages container lifecycle but does not provide orchestration or multi-container application definitions; it is a building block for higher-level tools like Docker or Kubernetes, not a development tool. Option D (Kubernetes) is wrong because it is a full-scale container orchestration platform intended for production deployments across clusters; running it locally (e.g., via Minikube or kind) adds unnecessary complexity and overhead compared to Docker Compose for simple development scenarios.

97
MCQeasy

Which CNCF project is classified as a 'graduated' project?

A.Linkerd
B.Kubernetes
C.Knative
D.ArgoCD
AnswerB

Kubernetes was the first graduated project and is a core CNCF project.

Why this answer

Prometheus is a graduated CNCF project, indicating it has reached a high level of maturity and adoption.

98
MCQmedium

An application requires stable network identities and persistent storage. Which workload type should be used?

A.Deployment
B.DaemonSet
C.Job
D.StatefulSet
AnswerD

StatefulSets provide stable identities and persistent storage.

Why this answer

StatefulSet is the correct workload type because it provides stable, unique network identities (via headless Services and ordinal hostnames) and persistent storage (via PersistentVolumeClaims that persist across Pod rescheduling). This makes it ideal for stateful applications like databases, where each Pod requires a stable identity and dedicated storage that survives restarts.

Exam trap

Cisco often tests the misconception that Deployments can handle stateful workloads by using PersistentVolumeClaims, but they fail to account for the lack of stable network identities and ordered pod management that StatefulSet provides.

How to eliminate wrong answers

Option A is wrong because Deployment is designed for stateless applications; it creates pods with random, ephemeral identities and does not guarantee stable network names or persistent storage per pod. Option B is wrong because DaemonSet ensures one pod per node, typically for node-level services like logging or monitoring, and does not provide stable identities or persistent storage for stateful workloads. Option C is wrong because Job is intended for batch processing tasks that run to completion, not for long-running stateful services requiring stable identities and persistent storage.

99
MCQeasy

Which component of the Kubernetes control plane is responsible for persisting the cluster state?

A.kube-scheduler
B.kube-controller-manager
C.etcd
D.kube-apiserver
AnswerC

etcd is the cluster's database, storing all cluster data.

Why this answer

etcd is a distributed key-value store that stores the entire configuration and state of the Kubernetes cluster.

100
Multi-Selecthard

Which THREE are typical characteristics of a cloud-native application?

Select 3 answers
A.Long startup times due to heavy initialization
B.Vulnerable to cascading failures
C.Packaged as lightweight containers
D.Designed for horizontal scaling
E.Built using microservices architecture
AnswersC, D, E

Containers are standard.

Why this answer

Option C is correct because cloud-native applications are typically packaged as lightweight containers (e.g., Docker) that encapsulate the application and its dependencies, enabling fast startup, portability, and efficient resource utilization. Containers share the host OS kernel and have minimal overhead compared to virtual machines, which aligns with the cloud-native principle of agility and scalability.

Exam trap

CNCF often tests the misconception that cloud-native apps are just 'apps in the cloud' rather than specifically requiring containerization, microservices, and horizontal scaling; candidates may mistakenly associate long startup times or fragility with cloud-native, when those are anti-patterns.

101
MCQhard

You are implementing an API gateway pattern for a set of microservices. Which of the following is a typical responsibility of an API gateway?

A.Managing container lifecycle and scaling
B.Directly accessing databases to serve requests
C.Storing application state and session data
D.Enforcing authentication and rate limiting
AnswerD

These are common gateway responsibilities.

Why this answer

An API gateway handles cross-cutting concerns like authentication, rate limiting, routing, and aggregation. Direct database access (A) is an antipattern, managing container orchestration (C) is Kubernetes' job, and storing application state (D) is not a gateway function.

102
MCQeasy

Which of the following is a benefit of using an orchestrator like Kubernetes?

A.Direct access to the host kernel for performance tuning
B.Guaranteed zero downtime for all updates
C.Automatic scaling based on CPU utilization
D.Manual scaling based on traffic spikes
AnswerC

Horizontal Pod Autoscaler can automatically scale pods based on CPU or custom metrics.

Why this answer

Kubernetes, as a container orchestrator, provides built-in Horizontal Pod Autoscaling (HPA) that automatically adjusts the number of pod replicas based on observed CPU utilization (or custom metrics). This is a core benefit because it allows applications to handle varying load without manual intervention, improving resource efficiency and availability.

Exam trap

The trap here is that candidates confuse 'automatic scaling' with 'manual scaling' or assume Kubernetes guarantees zero downtime, but the exam tests the specific benefit of automated, policy-driven scaling based on metrics like CPU utilization.

How to eliminate wrong answers

Option A is wrong because Kubernetes does not provide direct access to the host kernel; containers share the host kernel via namespaces and cgroups, and direct kernel access would break isolation and security. Option B is wrong because Kubernetes cannot guarantee zero downtime for all updates; while it supports rolling updates and strategies like maxSurge and maxUnavailable to minimize disruption, factors like application bugs or resource constraints can still cause downtime. Option D is wrong because manual scaling based on traffic spikes is not a benefit of using an orchestrator; orchestrators like Kubernetes automate scaling, and manual scaling is a legacy approach that defeats the purpose of orchestration.

103
Multi-Selectmedium

Which TWO of the following components are part of the Kubernetes control plane? (Select 2)

Select 2 answers
A.container runtime
B.kube-apiserver
C.kubelet
D.etcd
E.kube-proxy
AnswersB, D

It is the API server, central to the control plane.

Why this answer

The control plane consists of kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy run on worker nodes.

104
Drag & Dropmedium

Drag and drop the steps to perform a backup of etcd in a Kubernetes cluster into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Access the node, save snapshot, verify, store securely, and restore when necessary.

105
MCQhard

A team is designing a cloud-native system that must maintain high availability across multiple cloud regions. The application uses Kubernetes clusters in each region. Which approach best ensures that the system can tolerate a full region failure while minimizing complexity?

A.Deploy a single Kubernetes cluster spanning all regions
B.Use a global load balancer with active-passive regional failover
C.Run active-active in all regions with synchronous data replication
D.Implement manual failover procedures documented in runbooks
AnswerB

Simpler to implement and manage while ensuring failover.

Why this answer

Option B is correct because a global load balancer with active-passive regional failover provides a straightforward way to route traffic to a healthy secondary region when the primary fails, without the complexity of multi-region Kubernetes control planes or synchronous replication. This approach leverages DNS-based or anycast routing to detect region failure and redirect traffic, ensuring high availability while keeping the operational overhead low.

Exam trap

CNCF often tests the misconception that active-active with synchronous replication is always the best for high availability, but the trap here is that it introduces unnecessary complexity and cost for most use cases, while active-passive with a global load balancer offers a simpler, production-proven alternative for tolerating region failures.

How to eliminate wrong answers

Option A is wrong because a single Kubernetes cluster spanning multiple regions introduces significant latency, network partitioning risks, and control plane complexity, as Kubernetes is not designed for跨区域 single clusters and would violate the recommended failure domain boundaries. Option C is wrong because active-active with synchronous data replication across regions adds substantial latency, cost, and complexity, and is typically unnecessary for most applications; it also requires careful handling of conflict resolution and network reliability. Option D is wrong because manual failover procedures are slow, error-prone, and cannot meet the high availability requirements of a cloud-native system that must tolerate a full region failure automatically.

106
Multi-Selecteasy

Which TWO of the following are CNCF graduated projects? (Choose two.)

Select 2 answers
A.Helm
B.Linkerd
C.Kubernetes
D.ArgoCD
E.Prometheus
AnswersC, E

Kubernetes is a CNCF graduated project.

Why this answer

Kubernetes and Prometheus are both graduated CNCF projects. Containerd is also graduated, but since we have only two choices, Kubernetes and Prometheus are correct. Etcd is graduated as well, but not listed.

Linkerd is incubating, and Envoy is graduated but not listed. Actually, Envoy is graduated; but options here are Kubernetes, Prometheus, Linkerd, ArgoCD, and Helm. ArgoCD is graduated as of 2022, but Prometheus and Kubernetes are also graduated.

However, the question asks for two, and both Kubernetes and Prometheus are graduated. Linkerd is still incubating. ArgoCD is graduated (as of Dec 2022).

Helm is graduated. Actually, let's check: Helm is graduated (since 2020). So there are multiple.

To be safe, we'll choose the most well-known: Kubernetes and Prometheus.

107
MCQeasy

Which component is responsible for running containers on a Kubernetes node?

A.etcd
B.kube-scheduler
C.Container runtime (e.g., containerd)
D.kubelet
AnswerC

The container runtime is the component that actually runs containers.

Why this answer

The container runtime (e.g., containerd) is the component responsible for actually running containers on a Kubernetes node. It pulls container images, manages container lifecycles, and handles low-level operations such as starting and stopping containers via the CRI (Container Runtime Interface). Without a container runtime, the kubelet cannot launch or manage any containers on the node.

Exam trap

The trap here is that candidates often confuse the kubelet with the container runtime, thinking the kubelet directly runs containers, when in fact the kubelet only orchestrates via the CRI and relies on a separate container runtime to execute them.

How to eliminate wrong answers

Option A is wrong because etcd is a distributed key-value store that holds all cluster data, not a component that runs containers on a node. Option B is wrong because kube-scheduler is a control plane component that assigns pods to nodes based on resource availability and constraints, but it does not execute containers. Option D is wrong because the kubelet is the node agent that communicates with the container runtime via the CRI to ensure containers are running as expected, but it does not directly run containers itself.

108
MCQmedium

A pod is in the 'CrashLoopBackOff' state. You run 'kubectl logs mypod' and see an error related to missing environment variables. The pod is part of a Deployment. What is the best way to fix this without recreating the entire Deployment?

A.Use kubectl set env to add the environment variables to the pod
B.Delete the pod and rely on the Deployment to recreate it
C.Update the Deployment's pod template to include the missing environment variables
D.Edit the pod directly using kubectl edit pod mypod
AnswerC

Updating the Deployment's spec triggers a rolling update, creating new pods with the correct environment.

Why this answer

You can update the Deployment's pod template to include the missing environment variables, then perform a rolling update.

109
MCQhard

A team is deploying a microservice application on Kubernetes. They want to ensure that during rolling updates, the new version of the service receives traffic only after the readiness probe succeeds. However, they observe that the old pods are terminated before the new pods are ready, causing a brief downtime. Which configuration change should they make to the Deployment to prevent this?

A.Set spec.strategy.rollingUpdate.minReadySeconds to 0
B.Set spec.strategy.rollingUpdate.maxSurge=0 and maxUnavailable=1
C.Add a liveness probe to the container spec
D.Set spec.strategy.rollingUpdate.maxSurge=1 and maxUnavailable=0

Why this answer

Option B is correct because setting spec.strategy.rollingUpdate.maxSurge=0 and maxUnavailable=1 ensures that during a rolling update, the old pods are not terminated until new pods become ready. Option A is incorrect because it allows surge but does not guarantee readiness. Option C is incorrect because it doesn't change the update behavior.

Option D is incorrect because it adds a liveness probe, which is for restarting unhealthy pods, not for traffic shifting.

110
Multi-Selectmedium

Which two of the following are container runtimes that implement the Container Runtime Interface (CRI)? (Choose two.)

Select 2 answers
A.Docker
B.containerd
C.Podman
D.CRI-O
E.runc
AnswersB, D

containerd implements CRI and is a common runtime.

Why this answer

containerd and CRI-O are CRI-compliant container runtimes. Docker is not directly CRI-compatible (uses dockershim, deprecated). runc is a low-level runtime that is used by containerd and CRI-O but is not itself a CRI implementation.

111
MCQhard

You have a Deployment that manages 3 replicas. You want to perform a rolling update with a maximum of 2 Pods unavailable during the update. Which field should you set in the Deployment spec?

A.spec.strategy.rollingUpdate.maxUnavailable
B.spec.minReadySeconds
C.spec.strategy.rollingUpdate.maxSurge
D.spec.replicas
AnswerA

maxUnavailable defines the maximum number of Pods that can be unavailable during the update.

Why this answer

maxUnavailable in the rolling update strategy controls how many Pods can be unavailable during the update.

112
MCQmedium

You have a Pod with a container that needs to read sensitive data such as a database password. Which Kubernetes resource should you use to store this data?

A.PersistentVolume
B.Secret
C.ServiceAccount
D.ConfigMap
AnswerB

Secrets store sensitive data and can be mounted as volumes or environment variables.

Why this answer

Secrets are designed to store sensitive information like passwords, tokens, or keys.

113
MCQmedium

Which of the following is a benefit of using container orchestration platforms like Kubernetes?

A.Increased network latency
B.Manual scaling of applications
C.Self-healing (automatic restart of failed containers)
D.Tighter coupling between microservices
AnswerC

Kubernetes automatically restarts containers that fail, replaces and reschedules pods when nodes die.

Why this answer

Option C is correct because Kubernetes includes a built-in controller (the kubelet and ReplicaSet controller) that continuously monitors the desired state of pods. If a container fails or its process crashes, the kubelet automatically restarts it based on the pod's restart policy (e.g., Always), ensuring high availability without manual intervention. This self-healing capability is a core benefit of container orchestration, reducing downtime and operational overhead.

Exam trap

CNCF often tests the misconception that container orchestration platforms like Kubernetes increase complexity and latency, but the correct answer highlights that they actually automate recovery and improve resilience, not degrade performance.

How to eliminate wrong answers

Option A is wrong because container orchestration platforms like Kubernetes typically reduce network latency through service discovery and intelligent load balancing (e.g., kube-proxy with iptables/IPVS), not increase it. Option B is wrong because Kubernetes enables automatic scaling via Horizontal Pod Autoscaler (HPA) based on CPU/memory metrics or custom metrics, eliminating the need for manual scaling. Option D is wrong because Kubernetes promotes loose coupling between microservices through declarative APIs, service abstractions (ClusterIP), and decoupled communication patterns, not tighter coupling.

114
MCQhard

In Istio, which component is responsible for enforcing traffic policies and collecting telemetry data at the pod level?

A.Mixer
B.Envoy proxy
C.Pilot
D.Citadel
AnswerB

Envoy runs as a sidecar and handles data-plane tasks.

Why this answer

Envoy proxy is the correct answer because in Istio, each pod is deployed with an Envoy sidecar proxy that intercepts all inbound and outbound traffic. This proxy enforces traffic policies (e.g., routing rules, fault injection, rate limiting) and collects telemetry data (e.g., metrics, logs, traces) at the pod level, sending it to the observability backends. The sidecar model ensures policy enforcement and telemetry collection happen without modifying the application code.

Exam trap

CNCF often tests the misconception that Mixer is still the primary policy enforcement and telemetry component, but the trap here is that Mixer was deprecated and removed; candidates who haven't kept up with Istio's evolution may incorrectly select Mixer (Option A) instead of recognizing that Envoy now handles both roles via in-proxy extensions.

How to eliminate wrong answers

Option A is wrong because Mixer was a separate Istio component responsible for access control and telemetry preprocessing, but it was deprecated in Istio 1.5 and removed in later versions; telemetry and policy enforcement are now handled directly by Envoy proxies via WebAssembly extensions and the Telemetry API. Option C is wrong because Pilot is the control plane component that translates high-level traffic rules into Envoy configuration (e.g., xDS APIs) and distributes them to proxies, but it does not enforce policies or collect telemetry at the pod level. Option D is wrong because Citadel is the security component that manages certificate issuance and mTLS key rotation (using SPIFFE identities), but it does not handle traffic policy enforcement or telemetry collection.

115
Multi-Selectmedium

Which TWO of the following are benefits of using a container orchestration platform like Kubernetes? (Select 2)

Select 2 answers
A.Manual deployment of containers to servers
B.Requirement for a hypervisor on every node
C.Self-healing of failed containers
D.Static infrastructure that never changes
E.Automatic scaling of applications based on demand
AnswersC, E

Orchestration restarts failed containers automatically.

Why this answer

High availability and self-healing are key benefits. Manual deployment and static scaling are not benefits of orchestration.

116
MCQmedium

What is the purpose of a readiness probe in a Kubernetes pod?

A.To check if the pod has been scheduled on a node
B.To measure the CPU and memory usage of the container
C.To determine if the container is healthy and should be restarted
D.To determine if the container is ready to serve traffic
AnswerD

Readiness probes indicate when a container is ready to start accepting requests. If it fails, traffic is not sent to the pod.

Why this answer

Readiness probes determine whether a container is ready to accept traffic. If the probe fails, the pod is removed from the Service's endpoints. Liveness probes determine if the container is healthy and should be restarted.

Startup probes check if the application has started successfully.

117
Multi-Selectmedium

Which THREE of the following are valid Kubernetes resource types that can be used to store configuration data or secrets?

Select 2 answers
A.Secret
B.Volume
C.PersistentVolumeClaim
D.ServiceAccount
E.ConfigMap
AnswersA, E

Why this answer

Option A is correct because a Secret is a dedicated Kubernetes resource type designed to store sensitive data, such as passwords, OAuth tokens, and SSH keys, in a base64-encoded format. Secrets are stored in etcd and can be mounted as volumes or exposed as environment variables, with optional encryption at rest to protect sensitive configuration data.

Exam trap

CNCF often tests the misconception that Volumes or PersistentVolumeClaims can store configuration data or secrets, but they are storage abstractions for arbitrary data, not the dedicated key-value resources (ConfigMap and Secret) designed for configuration and secrets management.

118
MCQmedium

An administrator runs 'kubectl get pods' and sees that a pod named 'app-pod' is in 'CrashLoopBackOff'. They run 'kubectl logs app-pod' and see a segmentation fault error. What is the most likely cause?

A.The node is out of memory
B.The container has a configuration error
C.The application code has a bug
D.The readiness probe is misconfigured
AnswerC

Segmentation faults are typically caused by bugs in the application code.

Why this answer

A segmentation fault (segfault) is a specific error caused by a program attempting to access memory it does not have permission to access, typically due to a bug in the application code (e.g., null pointer dereference, buffer overflow). Since the container starts but then crashes repeatedly (CrashLoopBackOff), the segfault indicates the application itself is failing, not the infrastructure or configuration. This is the most direct cause of the pod entering CrashLoopBackOff.

Exam trap

CNCF often tests the distinction between application-level errors (like segfaults) and infrastructure or configuration issues, tempting candidates to blame resource constraints or probe misconfiguration when the logs clearly point to a runtime crash.

How to eliminate wrong answers

Option A is wrong because a node out-of-memory condition would cause the pod to be evicted or fail to schedule, not produce a segmentation fault in the application logs; the kubelet would report an OOMKilled status, not a segfault. Option B is wrong because a configuration error (e.g., missing environment variable, incorrect command) would typically result in an immediate container exit with a non-zero exit code or a startup failure, not a segmentation fault which is a runtime memory access violation. Option D is wrong because a misconfigured readiness probe would cause the pod to be marked as not ready and removed from service endpoints, but the container would continue running and not crash; the logs would show probe failures, not a segfault.

119
Multi-Selectmedium

Which TWO statements about GitOps are correct?

Select 2 answers
A.GitOps requires a container registry
B.Git is the single source of truth for desired system state
C.The cluster state is automatically reconciled with the Git repository
D.GitOps eliminates the need for CI pipelines
E.Changes are made directly to the cluster using kubectl
AnswersB, C

GitOps defines desired state in Git.

Why this answer

GitOps uses Git as the single source of truth and automatically reconciles cluster state with the repository.

120
MCQhard

In a microservices application, you want to prevent cascading failures by limiting the number of concurrent requests to a downstream service. Which resilience pattern should you implement?

A.Circuit breaker
B.Timeout pattern
C.Bulkhead pattern
D.Retry pattern
AnswerC

Bulkhead pattern partitions resources to prevent a single service from exhausting all resources.

Why this answer

The bulkhead pattern isolates resources into separate pools (e.g., thread pools) to limit the impact of a failure in one service on others.

121
Matchingmedium

Match each Kubernetes object to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ensures a copy of a pod runs on all or selected nodes

Manages stateful applications with unique network identities

Runs a finite task to completion

Runs jobs on a time-based schedule

Automatically scales pod replicas based on CPU/memory metrics

Why these pairings

Each workload resource addresses specific operational requirements.

122
MCQeasy

Which deployment strategy updates pods incrementally, replacing old pods with new ones while ensuring availability?

A.Canary deployment
B.Blue-green deployment
C.Recreate
D.Rolling update
AnswerD

This is the default Kubernetes deployment strategy.

Why this answer

The Rolling update strategy is the correct answer because it incrementally replaces old pods with new ones while maintaining application availability. In Kubernetes, a rolling update updates pods one by one (or in small batches), ensuring that a specified number of pods remain available throughout the process. This is achieved by gradually scaling down the old ReplicaSet and scaling up the new one, controlled by parameters like `maxSurge` and `maxUnavailable` in the Deployment spec.

Exam trap

CNCF often tests the distinction between deployment strategies by confusing candidates with 'Canary deployment' because it also involves gradual traffic shifting, but the key difference is that Canary does not replace pods incrementally—it runs both versions concurrently and requires external traffic routing.

How to eliminate wrong answers

Option A is wrong because a Canary deployment routes a small percentage of traffic to a new version before a full rollout, but it does not incrementally replace pods; it runs both versions simultaneously and requires traffic management (e.g., via a service mesh or ingress). Option B is wrong because a Blue-green deployment creates a completely new environment (green) alongside the old one (blue) and switches traffic all at once, rather than updating pods incrementally. Option C is wrong because the Recreate strategy terminates all old pods before creating new ones, causing downtime and violating the availability requirement.

123
Multi-Selecteasy

Which TWO of the following are valid ways to view the logs of a pod named 'my-pod'?

Select 2 answers
A.kubectl describe pod my-pod
B.kubectl exec my-pod -- cat /var/log/app.log
C.kubectl logs my-pod
D.kubectl run my-pod -- logs
E.kubectl attach my-pod
AnswersB, C

If the application writes logs to a file, this command can retrieve them.

Why this answer

Option B is correct because `kubectl exec my-pod -- cat /var/log/app.log` runs the `cat` command inside the container of the pod, allowing you to read a specific log file directly from the filesystem. This is a valid method when the application writes logs to a file rather than stdout/stderr, or when you need to inspect a log file that is not captured by the standard logging driver.

Exam trap

The trap here is that candidates may confuse `kubectl describe` (which shows pod events and status) with `kubectl logs` (which shows actual application output), or assume `kubectl attach` can retrieve past logs when it only connects to the live process stream.

124
MCQhard

You have a Deployment with three replicas. You want to update the container image but ensure that only one pod is updated at a time, and the update proceeds only if the new pod becomes healthy. Which update strategy should you configure?

A.RollingUpdate with maxSurge=3 and maxUnavailable=1
B.RollingUpdate with maxSurge=1 and maxUnavailable=0
C.Canary deployment via Ingress
D.Recreate strategy
AnswerB

This configuration updates one pod at a time and waits for the new pod to become healthy before proceeding.

Why this answer

RollingUpdate with maxSurge=1 and maxUnavailable=0 ensures one pod is updated at a time and the update pauses if the new pod is not healthy.

125
Multi-Selectmedium

Which THREE of the following are valid ways to create a Kubernetes resource using kubectl?

Select 3 answers
A.kubectl exec -it pod-name -- /bin/bash
B.kubectl run nginx --image=nginx
C.kubectl logs pod-name
D.kubectl create -f pod.yaml
E.kubectl apply -f deployment.yaml
AnswersB, D, E

Creates a deployment or pod running the specified image.

Why this answer

Option B is correct because `kubectl run nginx --image=nginx` creates a Pod imperatively, which is a valid way to create a Kubernetes resource directly from the command line without a manifest file. This command generates a Pod named 'nginx' using the specified container image, and it is a supported method for quick testing or ad-hoc resource creation.

Exam trap

CNCF often tests the distinction between commands that create resources versus commands that interact with existing resources, so candidates may mistakenly think `kubectl exec` or `kubectl logs` can create resources because they are common kubectl commands.

126
MCQmedium

Which kubectl command would you use to view the logs of a container named 'web' inside a Pod named 'app-12345'?

A.kubectl logs app-12345 -c web
B.kubectl logs -p web app-12345
C.kubectl logs app-12345 --container=web
D.kubectl logs web app-12345
AnswerA

Correct syntax: pod name first, then -c flag for container.

Why this answer

Option A is correct because `kubectl logs app-12345 -c web` explicitly specifies the container name 'web' within the Pod 'app-12345' using the `-c` flag. This is the standard syntax for viewing logs of a specific container in a multi-container Pod, as the `kubectl logs` command defaults to the first container if `-c` is omitted.

Exam trap

CNCF often tests the distinction between the `-c` flag for container selection and the `-p` flag for previous container logs, and the correct argument order (`kubectl logs <pod> -c <container>` vs. `kubectl logs <container> <pod>`), which leads candidates to confuse the flags or the positional syntax.

How to eliminate wrong answers

Option B is wrong because `-p` is the flag for viewing logs of a previously terminated container, not for specifying a container name; the correct flag for container selection is `-c`, and the order of arguments is incorrect (container name should follow `-c`). Option C is wrong because `--container=web` is a valid alternative syntax, but the question asks for the command that would be used, and `-c web` is the standard short form; however, the provided answer options list A as correct, and C is not the most common or direct form in this context, but more importantly, the question's correct answer is A, and C is not listed as correct. Option D is wrong because the syntax `kubectl logs web app-12345` places the container name before the Pod name, which is invalid; the correct order is `kubectl logs <pod-name> -c <container-name>`.

127
MCQmedium

A DevOps engineer has created a ConfigMap named 'app-config' and wants to use it to set environment variables in a pod. Which field in the pod spec should reference the ConfigMap?

A.spec.containers[].command
B.spec.containers[].env.name
C.spec.containers[].volumeMounts
D.spec.containers[].envFrom
AnswerD

'envFrom' is used to reference a ConfigMap or Secret and inject all entries as environment variables.

Why this answer

The 'envFrom' field in a container spec allows injecting all key-value pairs from a ConfigMap as environment variables.

128
MCQeasy

Which service mesh component is typically deployed as a sidecar proxy alongside application containers?

A.Kiali
B.Istiod
C.Prometheus
D.Envoy proxy
AnswerD

Envoy is often deployed as a sidecar to intercept traffic.

Why this answer

Envoy proxy is the most common sidecar proxy in service meshes like Istio and Linkerd. Istiod is the control plane component, Kiali is a visualization tool, and Prometheus is a monitoring system.

129
MCQmedium

An administrator wants to update the image of a Deployment named 'my-app' from 'nginx:1.19' to 'nginx:1.20' with a rolling update strategy. They want to ensure that during the update, the number of unavailable pods never exceeds 1. Which field should they set in the Deployment spec?

A.spec.replicas
B.spec.minReadySeconds
C.spec.strategy.rollingUpdate.maxSurge
D.spec.strategy.rollingUpdate.maxUnavailable
AnswerD

maxUnavailable sets the maximum number of pods that can be unavailable during a rolling update. Setting to 1 ensures at most one pod is down at a time.

Why this answer

Option D is correct because `spec.strategy.rollingUpdate.maxUnavailable` controls the maximum number of Pods that can be unavailable during a rolling update. Setting this to 1 ensures that at most one Pod is unavailable at any time, meeting the administrator's requirement. This field is part of the Deployment's rolling update strategy and directly governs the availability guarantee during the update process.

Exam trap

The trap here is that candidates often confuse `maxSurge` with `maxUnavailable`, mistakenly thinking that controlling how many extra Pods are created (surge) also limits unavailable Pods, but `maxSurge` only caps the number of Pods above the desired count, not the number that can be unavailable.

How to eliminate wrong answers

Option A is wrong because `spec.replicas` defines the desired number of Pod replicas, not the availability constraints during an update. Option B is wrong because `spec.minReadySeconds` controls how long a newly created Pod must be ready before it is considered available, but it does not limit the number of unavailable Pods during a rolling update. Option C is wrong because `spec.strategy.rollingUpdate.maxSurge` controls the maximum number of Pods that can be created above the desired replica count during an update, not the number of unavailable Pods.

130
MCQeasy

What is the primary purpose of a continuous integration (CI) pipeline in cloud native application delivery?

A.To provision infrastructure resources
B.To automatically deploy code to production
C.To build and test code changes automatically
D.To manage container images in a registry
AnswerC

CI focuses on building and testing every change.

Why this answer

CI automates building and testing code changes to catch integration issues early, ensuring that code is always in a deployable state.

131
MCQmedium

Which service mesh provides built-in support for multi-cluster and multi-cloud deployments?

A.Kuma
B.Consul Connect
C.Istio
D.Linkerd
AnswerC

Why this answer

Istio is correct because it provides native support for multi-cluster and multi-cloud deployments through its mesh federation capabilities, including features like multi-primary and primary-remote cluster models, as well as east-west gateways for cross-cluster traffic. It leverages Envoy proxies and a unified control plane to enable service discovery, traffic management, and security across clusters, making it the only option among the listed that offers built-in, production-ready multi-cluster support.

Exam trap

CNCF often tests the misconception that all service meshes have equal multi-cluster support, leading candidates to pick Linkerd for its simplicity or Consul for its multi-datacenter reputation, but Istio is the only one with built-in, comprehensive multi-cloud and multi-cluster capabilities as a core feature.

How to eliminate wrong answers

Option A is wrong because Kuma, while supporting multi-zone deployments, is built on Envoy and primarily focuses on service mesh for Kubernetes and VMs with a simpler architecture, but it lacks the mature, built-in multi-cluster and multi-cloud features that Istio provides out-of-the-box, such as native federation and cross-cluster load balancing. Option B is wrong because Consul Connect (part of HashiCorp Consul) supports multi-datacenter deployments but is not a dedicated service mesh; it relies on Consul's service discovery and intentions for security, and its multi-cluster capabilities are more about datacenter replication rather than the seamless multi-cloud service mesh integration that Istio offers. Option D is wrong because Linkerd, while lightweight and simple, does not have built-in multi-cluster support; it requires additional tools or manual configuration for cross-cluster communication, and its focus is on single-cluster performance and simplicity, not multi-cloud deployments.

132
MCQhard

A Deployment is configured with 'replicas: 5' and a rolling update strategy. During an update, you notice that the number of available pods drops to 3 momentarily. Which field in the Deployment spec can be adjusted to control the minimum number of pods available during a rolling update?

A.spec.strategy.rollingUpdate.maxSurge
B.spec.strategy.rollingUpdate.maxUnavailable
C.spec.minReadySeconds
D.spec.replicas
AnswerB

maxUnavailable controls how many pods can be unavailable during the update.

Why this answer

The 'maxUnavailable' field in the rolling update strategy specifies the maximum number of pods that can be unavailable during the update. Setting it to a lower value ensures more pods remain available.

133
MCQhard

You need to deploy a batch job that processes a queue and runs to completion. The job should run exactly once and create exactly one pod per work item, but some items may fail. Which Kubernetes resource is best suited?

A.Deployment
B.Job
C.CronJob
D.DaemonSet
AnswerB

A Job is designed for batch processing, ensuring a specified number of pods complete successfully.

Why this answer

A Job with a specified number of completions and parallelism can run pods to completion, handling failures by restarting or marking as failed.

134
MCQmedium

A company wants to adopt immutable infrastructure for its containerized applications. Which practice BEST exemplifies immutability?

A.Developers use kubectl exec to change environment variables in a running pod
B.When a container fails, the orchestrator terminates it and launches a new container from the same image
C.A configuration management tool runs periodically to ensure containers are up-to-date
D.An operator logs into a running container and applies a security patch with apt-get update
AnswerB

Immutable infrastructure treats containers as disposable; failures are handled by replacement, not repair.

Why this answer

Option A is correct. Immutable infrastructure means replacing a failed or outdated container with a new one built from a fresh image, rather than patching in place. Option B is mutable (updating in place).

Option C is mutable (SSH for debugging). Option D is mutable (updating packages via exec).

135
MCQeasy

Which Kubernetes component is responsible for ensuring that the desired number of pod replicas is running in the cluster?

A.kubelet
B.kube-scheduler
C.kube-controller-manager
D.kube-apiserver
AnswerC

The controller manager runs controllers that handle replication, endpoints, etc.

Why this answer

The kube-controller-manager runs various controllers, including the ReplicaSet controller, which ensures that the desired number of pods is maintained.

136
Multi-Selecthard

Which TWO of the following are responsibilities of the kube-controller-manager?

Select 2 answers
A.Assigning pods to nodes
B.Storing cluster state
C.Managing endpoint objects for Services
D.Monitoring node health
E.Serving the Kubernetes API
AnswersC, D

Why this answer

The kube-controller-manager runs controllers that handle routine tasks. The Node controller watches the health of nodes. The Endpoint controller (now EndpointSlice controller) manages endpoints for Services.

Assigning pods to nodes is done by the scheduler. Storing cluster state is done by etcd. Serving the Kubernetes API is done by kube-apiserver.

137
MCQmedium

Which Kubernetes object can be used to store sensitive data, such as passwords or API keys, and inject them into pods?

A.PersistentVolume
B.ServiceAccount
C.Secret
D.ConfigMap
AnswerC

Secrets store sensitive data base64 encoded.

Why this answer

Secrets are designed to store sensitive information and can be mounted as volumes or environment variables.

138
MCQmedium

A Deployment is configured with 'replicas: 3'. After a node failure, only 2 pods are running. What component ensures that a new pod is scheduled to restore the desired replica count?

A.kube-scheduler
B.kube-controller-manager
C.kubelet
D.kube-proxy
AnswerB

The controller manager includes the ReplicaSet controller that ensures the desired number of pods.

Why this answer

The kube-controller-manager runs the ReplicaSet controller, which detects the mismatch and creates a new pod.

139
MCQhard

A user reports that they cannot connect to a database service named 'db-service' from another pod in the same namespace. The service selector matches the database pod's labels. Which command would you run FIRST to troubleshoot the service's endpoints?

A.kubectl describe pod db-service
B.kubectl get endpoints db-service
C.kubectl exec -it <some-pod> -- curl db-service
D.kubectl logs db-service
AnswerB

Endpoints show the IP addresses of pods selected by the service. If empty, the selector is mismatched.

Why this answer

Option B is correct because `kubectl get endpoints db-service` directly shows whether the service has any endpoints (i.e., pod IPs) associated with it. If the endpoints list is empty, it indicates that the service's label selector is not matching any pods, which is the most common cause of connectivity failure. This is the fastest way to verify the fundamental prerequisite for service-to-pod traffic.

Exam trap

The trap here is that candidates often jump to connectivity tests (like curl) or pod logs, forgetting that the service must first have endpoints; Cisco tests whether you know to verify the selector-to-pod match at the endpoint level before assuming network issues.

How to eliminate wrong answers

Option A is wrong because `kubectl describe pod db-service` would fail since 'db-service' is a service name, not a pod name; even if you used the correct pod name, describing a pod does not reveal the service's endpoint status. Option C is wrong because `kubectl exec -it <some-pod> -- curl db-service` tests connectivity from within the cluster, but it assumes the service already has endpoints; running this first could waste time if the issue is that no endpoints exist. Option D is wrong because `kubectl logs db-service` is invalid (logs require a pod name, not a service name) and even if applied to a pod, logs would not show the service's endpoint state.

140
MCQmedium

You need to inspect the logs of a container named 'app' in a pod called 'web-1'. Which kubectl command should you use?

A.kubectl logs web-1 --container app
B.kubectl logs web-1 -c app
C.kubectl logs app web-1
D.kubectl logs -p web-1 app
AnswerB

This command correctly retrieves logs from the container 'app' in pod 'web-1'.

Why this answer

Option B is correct because the `kubectl logs` command requires the pod name first, and the `-c` flag (or `--container`) specifies the container name within that pod. Since the pod 'web-1' contains a container named 'app', `kubectl logs web-1 -c app` retrieves the logs from that specific container. This is the standard syntax for targeting a container in a multi-container pod.

Exam trap

CNCF often tests the argument order of `kubectl logs` and the specific use of `-c` vs. `--container`, trapping candidates who confuse the pod name with the container name or use incorrect flag syntax.

How to eliminate wrong answers

Option A is wrong because it uses the `--container` flag with an equals sign, which is syntactically incorrect; the correct flag is `-c` or `--container` followed by a space and the container name. Option C is wrong because it reverses the argument order, placing the container name before the pod name, which kubectl interprets as an attempt to fetch logs from a pod named 'app' with a container named 'web-1', leading to an error. Option D is wrong because the `-p` flag is used to get logs from a previous instance of a container (e.g., after a crash), not to specify the container name, and the argument order is incorrect.

141
MCQmedium

Refer to the exhibit. A pod is created with the above manifest. The container runs nginx listening on port 80, but the liveness probe is configured to check port 8080. What will happen?

A.The pod will fail to start because the probe port mismatches the container port.
B.The liveness probe will fail, but the pod will still be marked as Ready.
C.The liveness probe will fail, causing the container to be restarted.
D.The pod will run successfully because the probe is not required.
AnswerC

Correct; liveness probe failure leads to restart.

Why this answer

The liveness probe is configured to check port 8080, but the container only listens on port 80. Since the probe will never receive a successful HTTP response from port 8080, it will fail repeatedly. According to Kubernetes behavior, after the failure threshold is reached (default: 3 failures with a 10-second interval), kubelet will restart the container to attempt to recover it.

This is the intended mechanism for detecting and remediating deadlocked or unresponsive applications.

Exam trap

Cisco often tests the distinction between probe failure and pod startup failure—candidates mistakenly think a misconfigured probe prevents the pod from starting, but Kubernetes always starts the container first and then evaluates probes asynchronously.

How to eliminate wrong answers

Option A is wrong because a probe port mismatch does not prevent the pod from starting; the pod will start and the container will run, but the liveness probe will fail. Option B is wrong because the liveness probe failure does not affect the Ready condition directly—readiness is determined by the readiness probe, not the liveness probe—but the container will be restarted, so the pod will not remain in a stable Ready state. Option D is wrong because the liveness probe is explicitly defined in the manifest and is therefore required; Kubernetes will execute it regardless of whether the container port matches.

142
MCQhard

A pod is running a Java application that occasionally leaks memory. After a few hours, 'kubectl describe pod' shows the container exited with OOMKilled. You want to automatically restart the container but ensure the application has enough memory. What should you do?

A.Set restartPolicy: OnFailure in the pod spec
B.Use a DaemonSet instead of a Deployment
C.Increase the memory limit in the container's resources.limits and add a liveness probe that triggers on high memory usage
D.Set terminationGracePeriodSeconds to 0
AnswerC

Increasing memory limit prevents OOM, and a liveness probe can restart the pod before OOM.

Why this answer

The default restart policy is Always, so the container will restart. The solution is to increase the memory limit and consider using a liveness probe to detect and restart earlier.

143
MCQmedium

Which of the following is a core component of the three pillars of observability?

A.Alerting
B.SLIs
C.Logs
D.Dashboards
AnswerC

Logs are one of the three pillars of observability.

Why this answer

The three pillars of observability are logs, metrics, and traces. Alerting is derived from metrics, not a pillar itself.

144
MCQmedium

You have a Deployment running 3 replicas. You need to update the container image without downtime. Which command updates the image while performing a rolling update?

A.kubectl replace deployment my-deployment --image=nginx:1.25
B.kubectl set image deployment/my-deployment nginx=nginx:1.25
C.kubectl scale deployment my-deployment --image=nginx:1.25
D.kubectl update deployment my-deployment --image=nginx:1.25
AnswerB

This command updates the container image and triggers a rolling update.

Why this answer

The 'kubectl set image' command updates the container image in the Deployment, triggering a rolling update by default.

145
MCQeasy

Which component is the primary entry point for all administrative tasks and API requests in a Kubernetes control plane?

A.kube-apiserver
B.etcd
C.kube-scheduler
D.kube-controller-manager
AnswerA

It is the API gateway for all administrative tasks.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane, exposing the REST API and handling all requests.

146
MCQhard

You create a Deployment with 'replicas: 3' and update the pod template to use a new image. After the rollout, you notice that the new ReplicaSet has 3 pods but they are all failing with 'CrashLoopBackOff'. You want to rollback to the previous working revision. Which command should you run?

A.kubectl set image deployment/my-deployment nginx=nginx:1.21
B.kubectl delete deployment/my-deployment --cascade=false
C.kubectl rollout undo deployment/my-deployment
D.kubectl rollout pause deployment/my-deployment
AnswerC

This command rolls back the Deployment to the previous revision.

Why this answer

'kubectl rollout undo deployment/my-deployment' rolls back to the previous revision.

147
MCQhard

You have a Deployment with image: myapp:v1. You update the image to myapp:v2 using 'kubectl set image deployment/myapp myapp=myapp:v2'. The rollout status shows 'Waiting for rollout to finish: 0 out of 3 new replicas have been updated...'. What is the most likely cause of this behavior?

A.The command syntax is incorrect; you should use 'kubectl set image deployment/myapp myapp:v2'
B.The new Pods are crashing due to a missing command
C.The Deployment's update strategy is set to 'Recreate'
D.The new image myapp:v2 does not exist or cannot be pulled from the registry
AnswerD

If the image cannot be pulled, the new Pods will remain in ImagePullBackOff, preventing them from being counted as updated.

Why this answer

Option D is correct. If the image pull fails (e.g., authentication error, no such image), the new Pod will be stuck in ImagePullBackOff and will not become ready. The Deployment will wait for the new Pods to be ready before proceeding.

Option A would generate an error on the command. Option B would cause an immediate error. Option C might cause an error if the container crashes, but the rollout would still update replicas; however, image pull failure is a common issue.

148
Multi-Selecthard

Which three of the following are valid methods to expose a Service to external traffic? (Select THREE)

Select 3 answers
A.Ingress
B.NodePort
C.LoadBalancer
D.ClusterIP
E.ExternalName
AnswersA, B, C

Ingress provides HTTP/HTTPS routing to Services.

Why this answer

NodePort, LoadBalancer, and Ingress are all valid methods to expose services externally. ClusterIP only exposes internally within the cluster.

149
MCQmedium

You have a Deployment named 'frontend' with 3 replicas. You want to perform a rolling update to a new container image. Which command should you use?

A.kubectl set image deployment/frontend container1=nginx:1.20
B.kubectl replace deployment frontend --image=nginx:1.20
C.kubectl edit deployment frontend --image=nginx:1.20
D.kubectl update deployment frontend --image=v2
AnswerA

This command updates the image for container1 in the frontend deployment.

Why this answer

The `kubectl set image` command is the correct way to perform a rolling update on a Deployment. It directly updates the container image in the pod template, triggering a rolling update where the ReplicaSet gradually replaces old pods with new ones, ensuring zero downtime. Option A specifies the exact container name and new image, which matches the required syntax for a targeted update.

Exam trap

The trap here is that candidates confuse imperative commands like `kubectl set image` with declarative commands like `kubectl replace` or non-existent commands like `kubectl update`, leading them to pick options that either require a full manifest or are syntactically invalid.

How to eliminate wrong answers

Option B is wrong because `kubectl replace` is used to replace a resource from a file or stdin, not to update an image directly; it would require a full YAML/JSON definition and does not trigger a rolling update by default. Option C is wrong because `kubectl edit` opens an editor for manual changes and does not accept an `--image` flag; it is interactive and not a single command for a rolling update. Option D is wrong because `kubectl update` is not a valid kubectl command; the correct imperative command for updating an image is `kubectl set image`.

150
MCQmedium

Which Prometheus metric type is best suited to count the number of HTTP requests received?

A.Gauge
B.Histogram
C.Summary
D.Counter
AnswerD

Counters are cumulative and only increase, perfect for counting total requests.

Why this answer

A counter is a cumulative metric that only increases, ideal for counting requests.

Page 1

Page 2 of 14

Page 3