Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 151225

997 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
MCQmedium

A Deployment named 'myapp' is managing a ReplicaSet. You need to update the application image to version 2.0. What is the recommended approach?

A.Scale down the Deployment to 0 replicas, then scale up with the new image
B.Update the Deployment's pod template image to version 2.0
C.Delete the existing ReplicaSet and create a new one with the updated image
D.Directly update the pods in the ReplicaSet by using 'kubectl edit pod'
AnswerB

Updating the Deployment triggers a rolling update, ensuring zero-downtime and rollback capability.

Why this answer

Option B is correct because the recommended approach to update a Deployment's application image is to modify the pod template in the Deployment specification. The Deployment controller then automatically performs a rolling update, creating a new ReplicaSet with the updated image and gradually scaling down the old ReplicaSet, ensuring zero-downtime updates and maintaining desired replica count.

Exam trap

CNCF often tests the misconception that you must directly manipulate ReplicaSets or pods to update an application, when in fact the Deployment abstraction is designed to handle all updates through its pod template, and any direct changes to underlying resources are either reverted or break the declarative model.

How to eliminate wrong answers

Option A is wrong because scaling down to 0 replicas and then scaling up with a new image causes an unnecessary service disruption and does not leverage the Deployment's built-in rolling update mechanism, which is designed for seamless updates. Option C is wrong because manually deleting the existing ReplicaSet and creating a new one bypasses the Deployment controller's management, losing revision history and the ability to roll back; the Deployment should manage ReplicaSets automatically. Option D is wrong because directly editing pods in a ReplicaSet is ineffective, as the ReplicaSet controller will immediately revert any changes to match its pod template, and this approach does not update the Deployment's desired state.

152
MCQhard

A team wants to use feature flags to control the rollout of a new feature in a Kubernetes-deployed microservice. Which tool is specifically designed for managing feature flags in cloud-native applications?

A.Helm
B.LaunchDarkly
C.Kustomize
D.Argo Rollouts
AnswerB

Why this answer

LaunchDarkly is a feature management platform commonly used for feature flags. Argo Rollouts is for progressive delivery (canary, blue-green). Helm is a package manager.

Kustomize is for configuration management. Option A is correct.

153
MCQmedium

What is the primary benefit of using an API gateway in a microservices architecture?

A.It provides a single entry point for client requests and handles cross-cutting concerns
B.It replaces the need for service meshes
C.It stores application state
D.It performs service-to-service communication
AnswerA

The gateway abstracts the backend services and provides centralized management.

Why this answer

An API gateway acts as a single entry point for clients, providing request routing, composition, and cross-cutting concerns like authentication and rate limiting.

154
MCQmedium

A user reports that a ConfigMap update is not reflected in running pods. Which action should be taken to ensure pods receive the updated configuration?

A.Perform a rollout restart of the deployment
B.Delete and recreate the ConfigMap
C.Edit the deployment and change a label
D.Restart the kubelet on the nodes
AnswerA

Triggers new pods with updated ConfigMap values.

Why this answer

A is correct because ConfigMaps are mounted into pods as volumes or consumed via environment variables at pod creation time. Kubernetes does not automatically propagate ConfigMap updates to running pods; the only way to pick up the new configuration is to restart the pods. A rollout restart of the deployment (e.g., `kubectl rollout restart deployment`) triggers a new ReplicaSet, which creates fresh pods that read the updated ConfigMap.

Exam trap

The trap here is that candidates assume Kubernetes automatically propagates ConfigMap changes to running pods, but in reality, pods are immutable after creation and require a restart to pick up new configuration.

How to eliminate wrong answers

Option B is wrong because deleting and recreating the ConfigMap does not affect running pods; pods still reference the old data from the initial mount or environment variable injection. Option C is wrong because changing a label on the deployment does not cause pods to be recreated; labels are metadata and do not trigger a pod restart or re-read of ConfigMap data. Option D is wrong because restarting the kubelet on nodes restarts the node agent but does not force pods to re-read their ConfigMap; pods continue using the cached configuration from their initial creation.

155
MCQhard

Your organization runs a microservices application in a Kubernetes cluster with 5 worker nodes. Each microservice is deployed as a Deployment with 3 replicas. Recently, users report intermittent timeouts when accessing the frontend service. The frontend communicates with a backend service via ClusterIP. You check the backend pods and find that one of the three replicas is in CrashLoopBackOff. The other two backend pods are healthy. The frontend deployment has no readiness or liveness probes. You notice that the frontend's connection pool to the backend has a timeout of 5 seconds. The crashing backend pod logs show an occasional NullPointerException that causes the container to restart, but the pod becomes ready after restart within 2 seconds. However, the frontend's connection pool does not evict unhealthy connections quickly. What is the best course of action to reduce timeouts?

A.Increase the number of backend replicas to 5 to absorb the failures.
B.Add a readiness probe to the backend Deployment that checks the application health endpoint.
C.Add a liveness probe to the frontend Deployment.
D.Increase the frontend connection pool timeout to 10 seconds.
AnswerB

Readiness probe will remove the pod from the Service endpoints when it is not ready.

Why this answer

The intermittent timeouts occur because the frontend's connection pool holds stale connections to the backend pod that is in CrashLoopBackOff. Although the pod restarts and becomes ready within 2 seconds, the frontend does not detect that the old connection is broken and continues to use it until the 5-second timeout expires. Adding a readiness probe to the backend Deployment ensures that Kubernetes only sends traffic to pods that pass the health check; when the pod fails the probe, it is removed from the ClusterIP's endpoints, preventing the frontend from routing requests to it and thus eliminating the timeouts.

Exam trap

The trap here is that candidates often confuse readiness and liveness probes, thinking a liveness probe is needed to restart the failing backend pod, but the real issue is traffic routing and connection pool management, which a readiness probe solves by removing the unhealthy pod from the service endpoints.

How to eliminate wrong answers

Option A is wrong because simply increasing the number of replicas does not address the root cause—stale connections to a failing pod—and may only mask the problem while wasting resources. Option C is wrong because adding a liveness probe to the frontend Deployment would restart the frontend pod if it becomes unhealthy, but the frontend itself is not crashing; the issue is connection management to the backend. Option D is wrong because increasing the connection pool timeout to 10 seconds would only make the timeouts longer, not prevent them; the frontend would still wait up to 10 seconds on a broken connection instead of quickly failing over.

156
MCQmedium

A team uses Helm to manage their Kubernetes applications. They need to upgrade a release and want to reuse the values from the previous release while overriding a specific value. Which helm command should they use?

A.helm upgrade --reset-values my-release ./charts/app --set image.tag=v2
B.helm upgrade --reuse-values my-release ./charts/app --set image.tag=v2
C.helm upgrade --atomic my-release ./charts/app --set image.tag=v2
D.helm upgrade --history-max 5 my-release ./charts/app --set image.tag=v2
AnswerB

--reuse-values retains the previous release's values and merges the new --set overrides.

Why this answer

The --reuse-values flag tells Helm to reuse the last release's values and merge any provided overrides. This is the correct approach to preserve existing values while updating a specific one.

157
Multi-Selectmedium

Which THREE of the following are benefits of using a service mesh for observability? (Select three.)

Select 3 answers
A.Reduced network latency
B.Centralized logging of all application logs
C.Distributed tracing across services
D.Collection of detailed metrics for service-to-service communication
E.Automatic instrumentation of application code for traces
AnswersC, D, E

Service mesh can propagate trace context and generate spans for each hop.

Why this answer

A service mesh provides visibility into inter-service communication, adds distributed tracing without code changes, and collects metrics like request latency.

158
MCQmedium

A company wants to adopt a GitOps workflow for managing their Kubernetes clusters. Which two tools are specifically designed for implementing GitOps on Kubernetes?

A.Flux
B.ArgoCD
C.Terraform
D.Jenkins
E.Helm
AnswerA, B

Flux is a CNCF incubating project for GitOps.

Why this answer

ArgoCD and Flux are both CNCF projects that implement GitOps principles, synchronizing cluster state with a Git repository. Helm is a package manager, Terraform is for infrastructure provisioning (not strictly GitOps for Kubernetes), and Jenkins is a CI/CD tool that can be used with GitOps but is not purpose-built for it.

159
MCQmedium

A DevOps team notices that a microservice is returning 503 errors intermittently. The service runs in Kubernetes and uses a liveness probe. The team wants to understand the root cause without restarting the pod. Which observability approach should they use first?

A.Use kubectl describe pod to check recent events
B.Query Prometheus for kubelet metrics on probe successes and failures
C.Increase log verbosity in the application to capture all requests
D.Enable distributed tracing across the service mesh
AnswerB

Metrics like 'probe_success' from kubelet can show probe status over time, helping identify intermittent failures.

Why this answer

Option B is correct because Prometheus can scrape kubelet metrics that expose liveness probe success and failure counts directly, allowing the team to see if the probe is failing without restarting the pod. This approach provides historical data on probe behavior, which is essential for diagnosing intermittent 503 errors that stem from the kubelet restarting the container when the liveness probe fails. Unlike other options, it does not require modifying the application or restarting the pod, and it directly surfaces the root cause if the probe is the issue.

Exam trap

The trap here is that candidates often assume 'kubectl describe pod' (Option A) is sufficient for debugging, but they overlook that its event log is short-lived and may not retain evidence of intermittent failures, whereas Prometheus metrics provide persistent historical data.

How to eliminate wrong answers

Option A is wrong because 'kubectl describe pod' shows recent events, but these events are ephemeral and may not capture intermittent failures that occurred minutes or hours ago, especially if the pod has not been restarted recently. Option C is wrong because increasing log verbosity requires modifying the application deployment and restarting the pod, which the team explicitly wants to avoid, and it does not directly reveal liveness probe failures (which are handled by the kubelet, not the application). Option D is wrong because distributed tracing across the service mesh focuses on request-level latency and errors between services, not on the kubelet's health check mechanism; it would not show liveness probe failures unless the probe itself is instrumented as a span, which is not standard.

160
MCQhard

A Kubernetes cluster runs a critical application that must be updated with zero downtime. The team wants to gradually shift traffic from the old version to the new version over a period of time. Which deployment pattern is MOST appropriate?

A.Rolling update
B.Recreate deployment
C.Blue-green deployment
D.Canary deployment
AnswerD

Canary deployment gradually shifts a percentage of traffic to the new version, allowing monitoring and controlled rollout.

Why this answer

Canary deployment involves rolling out the new version to a small subset of users initially and gradually increasing traffic while monitoring for issues. This minimizes risk and provides control over the rollout.

161
MCQmedium

Which component of the Kubernetes control plane is responsible for storing the cluster state?

A.kube-scheduler
B.etcd
C.kube-apiserver
D.kube-controller-manager
AnswerB

etcd is the key-value store that persists the entire cluster configuration and state.

Why this answer

etcd is a distributed key-value store that holds all cluster data, including configuration, state, and metadata.

162
MCQeasy

Which of the following is NOT one of the three pillars of observability?

A.Metrics
B.Logs
C.Traces
D.Alerts
AnswerD

Alerts are not a pillar; they are typically generated from metrics or logs.

Why this answer

The three pillars are logs, metrics, and traces. Alerts are derived from these pillars but not considered a pillar themselves.

163
MCQmedium

In a multi-cloud scenario, an organization wants to avoid vendor lock-in by abstracting infrastructure provisioning. Which tool is specifically designed to manage infrastructure as code across multiple cloud providers?

A.Helm
B.Istio
C.Terraform
D.ArgoCD
AnswerC

Terraform is a multi-cloud infrastructure-as-code tool that provisions resources across providers.

Why this answer

Terraform is an infrastructure-as-code tool that supports multiple cloud providers (AWS, Azure, GCP, etc.) with a declarative configuration language. Pulumi also supports multiple clouds but is less widely adopted in the CNCF ecosystem.

164
Multi-Selectmedium

Which TWO statements about Kubernetes Pods are correct?

Select 2 answers
A.Containers within a Pod cannot communicate with each other without using Services.
B.A Pod is the smallest deployable unit in Kubernetes.
C.A Pod always runs on a single node.
D.A Pod can contain multiple containers that share the same network namespace.
E.Pods are the most resilient unit in Kubernetes and automatically recover from failures.
AnswersB, D

Pods are the atomic unit of scheduling and deployment.

Why this answer

Option B is correct because a Pod is the smallest and most basic deployable unit in Kubernetes, representing a single instance of a running process in the cluster. Pods encapsulate one or more containers, storage resources, and a unique network IP, and they are the atomic unit for scheduling, scaling, and lifecycle management.

Exam trap

The trap here is that candidates often confuse Pods with virtual machines or assume containers within a Pod need Services to communicate, when in fact they share a network namespace and can use localhost directly.

165
MCQmedium

Which of the following is a benefit of container orchestration?

A.Requires a hypervisor for each container
B.Manual scaling of containers
C.Static infrastructure with no changes
D.Self-healing of failed containers
AnswerD

Orchestration restarts failed containers automatically.

Why this answer

Container orchestration platforms like Kubernetes provide self-healing capabilities by automatically restarting failed containers, rescheduling them on healthy nodes, and replacing or terminating containers that fail health checks. This ensures high availability and reduces manual intervention, which is a core benefit of orchestration.

Exam trap

CNCF often tests the misconception that container orchestration is only about initial deployment, when in fact its key value is ongoing automated management like self-healing and scaling.

How to eliminate wrong answers

Option A is wrong because container orchestration does not require a hypervisor for each container; containers share the host OS kernel and run as isolated processes, unlike VMs that need a hypervisor. Option B is wrong because container orchestration enables automatic scaling (e.g., horizontal pod autoscaling in Kubernetes), not manual scaling, which would defeat the purpose of automation. Option C is wrong because container orchestration promotes dynamic infrastructure with automated deployment, scaling, and updates, not static infrastructure with no changes.

166
MCQhard

A production issue arises: a Deployment with 10 replicas is updated, but the new Pods are failing health checks and being terminated. The old Pods are also being terminated. What is the most likely cause?

A.The Deployment's 'paused' field is set to true
B.The Deployment's 'revisionHistoryLimit' is set to 1
C.maxSurge and maxUnavailable are set to values that allow termination of old Pods before new ones are ready
D.The RollingUpdate strategy has maxSurge=0 and maxUnavailable=0
AnswerC

For example, maxSurge=1 and maxUnavailable=1 allows the rollout to continue even if new Pods are unhealthy, potentially terminating old ones.

Why this answer

If minReadySeconds or maxSurge/maxUnavailable are set incorrectly, the rollout can progress despite failures. The most common cause is that the Deployment's 'progressDeadlineSeconds' may be exceeded, but the question implies both old and new are being terminated. The correct answer is that maxSurge and maxUnavailable are misconfigured, causing the rollout to continue even when new Pods are unhealthy.

167
MCQmedium

Which field in a Pod's container specification defines the minimum amount of CPU guaranteed to the container?

A.spec.containers.cpu
B.resources.requests.cpu
C.resources.limits.cpu
D.spec.nodeSelector
AnswerB

Requests specify the minimum amount of CPU reserved for the container.

Why this answer

Option B is correct because in Kubernetes, the `resources.requests.cpu` field specifies the minimum amount of CPU guaranteed to a container. This value is used by the scheduler to ensure the node has enough allocatable CPU, and by the kubelet to enforce CPU shares via the Completely Fair Scheduler (CFS) in the Linux kernel.

Exam trap

The trap here is that candidates often confuse `requests` (guaranteed minimum) with `limits` (maximum allowed), especially since both are defined under `resources` and both use the same unit (e.g., millicores).

How to eliminate wrong answers

Option A is wrong because `spec.containers.cpu` is not a valid field; CPU requests are nested under `resources.requests.cpu`. Option C is wrong because `resources.limits.cpu` defines the maximum CPU a container can burst to, not the guaranteed minimum. Option D is wrong because `spec.nodeSelector` is a scheduling constraint that selects nodes based on labels, not a container resource specification.

168
Multi-Selectmedium

Which TWO of the following are capabilities of ArgoCD? (Choose two.)

Select 2 answers
A.Building container images from source code
B.Automated application sync from Git to cluster
C.Self-healing to correct configuration drift
D.Running unit tests during deployment
E.Managing secrets using Kubernetes Secrets
AnswersB, C

ArgoCD syncs applications automatically or on demand.

Why this answer

ArgoCD provides automated sync (applying desired state from Git) and self-healing (automatically reverting configuration drift). It is not a CI tool and does not build images.

169
MCQeasy

Which component in Kubernetes is responsible for managing the lifecycle of pods and ensuring the desired number of replicas are running?

A.Kube-proxy
B.Kubelet
C.Controller Manager
D.ReplicaSet
AnswerD

ReplicaSet ensures a stable set of replica pods running at any given time.

Why this answer

The ReplicaSet is the controller that ensures the specified number of pod replicas are running at any given time.

170
MCQeasy

Which CNCF project is a graduated project for service discovery and configuration management?

A.Prometheus
B.Fluentd
C.Envoy
D.Consul
AnswerD

Consul provides service discovery and configuration.

Why this answer

Consul is a CNCF graduated project that provides service discovery and configuration management.

171
Multi-Selecthard

Which THREE of the following are valid ways to expose a set of pods as a network service in Kubernetes?

Select 3 answers
A.Creating a Service of type NodePort.
B.Creating a headless Service (clusterIP: None).
C.Creating an Ingress resource.
D.Creating a Deployment with a label selector.
E.Creating a Service of type ClusterIP.
AnswersA, C, E

Correct; NodePort exposes on a static port on each node.

Why this answer

A Service of type NodeType exposes the pods on a static port on each node's IP address, making the service accessible externally. This is a valid method for exposing a set of pods as a network service in Kubernetes.

Exam trap

Cisco often tests the distinction between workload resources (like Deployments) and networking resources (like Services and Ingresses), leading candidates to mistakenly think a Deployment alone can expose pods as a network service.

172
Multi-Selecthard

Which THREE of the following are components of the GitOps workflow? (Choose three.)

Select 3 answers
A.A CI/CD pipeline that validates changes before merging
B.A configuration management database (CMDB)
C.A Git repository containing declarative configuration
D.A manual approval process for every change
E.An operator (e.g., ArgoCD) that syncs the cluster state with Git
AnswersA, C, E

CI/CD ensures changes are correct before applying.

Why this answer

GitOps relies on a Git repository as single source of truth, a CI/CD pipeline to validate changes, and an operator to sync the cluster.

173
MCQeasy

Which Helm command is used to upgrade a release to a newer version of a chart?

A.helm upgrade
B.helm rollback
C.helm update
D.helm install
AnswerA

helm upgrade updates an existing release to a new chart version or configuration.

Why this answer

The 'helm upgrade' command upgrades an existing release with a new chart version or configuration.

174
MCQmedium

In a Helm chart, which file is used to define default configuration values that can be overridden by users during installation?

A.templates/ directory
B.charts/ directory
C.values.yaml
D.Chart.yaml
AnswerC

Why this answer

values.yaml is the conventional file in Helm charts for default values. Users can override these with --set or custom values files. Option B (Chart.yaml) contains metadata.

Option C (templates/) contains Kubernetes manifest templates. Option D (charts/) contains subchart dependencies.

175
MCQhard

A team wants to deploy a multi-cloud application that uses cloud-specific services. Which pattern is most appropriate?

A.Single-cloud vendor lock-in to reduce complexity
B.Manually managing each cloud separately without automation
C.Only using serverless functions from one provider
D.Using cloud-agnostic abstractions and infrastructure as code across providers
AnswerD

Tools like Terraform and Kubernetes enable portability across clouds.

Why this answer

Option D is correct because using cloud-agnostic abstractions (e.g., Kubernetes for container orchestration, Terraform for infrastructure as code) allows the team to deploy across multiple clouds while still integrating cloud-specific services via provider-agnostic interfaces or abstraction layers. This pattern reduces vendor lock-in, enables consistent deployment workflows, and supports portability without sacrificing the ability to use unique services from each cloud provider.

Exam trap

The trap here is that candidates may think 'cloud-agnostic' means avoiding all cloud-specific services, but the correct pattern allows using them through abstraction layers, not eliminating them entirely.

How to eliminate wrong answers

Option A is wrong because single-cloud vendor lock-in contradicts the requirement for a multi-cloud application; it increases dependency on one provider and reduces flexibility. Option B is wrong because manually managing each cloud separately without automation introduces high operational overhead, configuration drift, and inconsistent deployments, which is inefficient and error-prone for multi-cloud scenarios. Option C is wrong because only using serverless functions from one provider still results in vendor lock-in and does not address the need to use cloud-specific services across multiple providers in a multi-cloud architecture.

176
MCQmedium

Which kubectl command is used to create or update resources defined in a YAML file?

A.kubectl update -f file.yaml
B.kubectl create -f file.yaml
C.kubectl apply -f file.yaml
D.kubectl set -f file.yaml
AnswerC

This creates or updates resources based on the current state defined in the file.

Why this answer

Option C is correct because `kubectl apply -f file.yaml` uses a declarative approach to create or update Kubernetes resources. It sends the YAML configuration to the API server, which compares the desired state with the current state and applies the necessary changes, storing the last-applied configuration in an annotation for future updates.

Exam trap

The trap here is that candidates confuse `kubectl create` (imperative, fails on existing resources) with `kubectl apply` (declarative, handles both create and update), or assume a non-existent `kubectl update` command exists based on other tools like `apt update`.

How to eliminate wrong answers

Option A is wrong because `kubectl update` is not a valid kubectl command; Kubernetes uses `kubectl edit`, `kubectl patch`, or `kubectl apply` to modify resources, not `update`. Option B is wrong because `kubectl create -f file.yaml` only creates new resources and will fail if the resource already exists, whereas the question asks for creating OR updating. Option D is wrong because `kubectl set -f file.yaml` is not a valid command; `kubectl set` is used to modify specific fields of live resources (e.g., `kubectl set image`), not to apply a full YAML file.

177
Multi-Selecteasy

Which TWO components are part of the Kubernetes control plane?

Select 2 answers
A.container runtime
B.kubelet
C.kube-apiserver
D.etcd
E.kube-proxy
AnswersC, D

kube-apiserver is the front-end for the Kubernetes control plane.

Why this answer

The Kubernetes control plane manages the cluster's state and scheduling decisions. The kube-apiserver (C) is the front-end for the control plane, exposing the Kubernetes API, while etcd (D) is the distributed key-value store that holds all cluster data, including configuration and state. Both are essential control plane components.

Exam trap

CNCF often tests the misconception that kubelet or kube-proxy are control plane components because they are essential for node operation, but they actually run on worker nodes and are considered node-level services.

178
Multi-Selectmedium

Which two of the following are valid ways to expose a set of Pods to external traffic?

Select 2 answers
A.Create a Service of type NodePort
B.Use a ConfigMap to expose the Pods
C.Create an Ingress resource without a Service
D.Create a Service of type LoadBalancer
E.Create a Service of type ClusterIP
AnswersA, D

NodePort exposes the Service on each node's IP at a static port.

Why this answer

NodePort and LoadBalancer are two Service types that expose applications externally.

179
MCQhard

In the context of resiliency patterns, which pattern is designed to prevent a cascade of failures by isolating each component so that a failure in one component does not affect others?

A.Retry
B.Circuit breaker
C.Timeout
D.Bulkhead
AnswerD

Bulkhead isolates components into separate pools so that a failure in one does not affect others.

Why this answer

The bulkhead pattern isolates resources (e.g., thread pools, connections) so that a failure in one part of the system doesn't bring down other parts. Circuit breaker is for handling failures of external calls, not isolation.

180
MCQhard

A pod uses a ServiceAccount that has a RoleBinding to a Role with 'get', 'list', 'watch' on 'pods'. The pod tries to list pods in the same namespace. Will the request succeed?

A.No, because there is a deny rule for pods
B.Yes, because the Role grants 'list' on pods
C.No, because ServiceAccount cannot list pods
D.Yes, but only if the ServiceAccount also has a ClusterRoleBinding
AnswerB

The Role includes 'list' permission, and the binding applies to the same namespace.

Why this answer

Option A is correct. In Kubernetes RBAC, permissions are additive. The Role grants get, list, watch on pods.

Listing pods requires 'list' permission, which is granted. Option B is incorrect because there is no deny rule; RBAC is deny by default, but the RoleBinding grants the permission. Option C is incorrect because the ServiceAccount is bound to a Role, which is for a single namespace.

Option D is incorrect; pod listing does not require a ClusterRole.

181
Multi-Selectmedium

Which TWO statements are true about Kustomize? (Choose 2)

Select 2 answers
A.It supports patching Kubernetes resources via strategic merge patches or JSON patches.
B.It automatically handles canary traffic routing.
C.It relies on Go templating to generate Kubernetes manifests.
D.It uses a base and overlay model to manage environment-specific configurations.
E.It can be used to package and deploy Helm charts.
AnswersA, D

Why this answer

Kustomize uses a base+overlay model without templating (A). It supports patching to customize resources (B). Option C is false because Kustomize does not use templates (it's template-free).

Option D is false because Kustomize does not manage Helm charts natively. Option E is false because Kustomize does not handle traffic routing.

182
MCQeasy

What is the primary purpose of a container registry in the CI/CD pipeline?

A.To store and distribute container images
B.To run unit tests on container images
C.To store application source code
D.To scan images for vulnerabilities
AnswerA

Container registries like Docker Hub, Google Container Registry, or AWS ECR store images and allow them to be pulled by Kubernetes or other systems.

Why this answer

Container registries store container images after they are built, allowing them to be pulled by Kubernetes clusters during deployment. They are the intermediary between CI and CD.

183
MCQmedium

An application is instrumented with OpenTelemetry to export traces to Jaeger. The team notices that some traces are incomplete. What is the most likely cause?

A.Context propagation is not correctly implemented
B.Span attributes are missing
C.Sampling rate is too high
D.Jaeger database is full
AnswerA

Missing context propagation breaks trace continuity.

Why this answer

Incomplete traces often occur when context propagation is not implemented correctly, causing spans to be disconnected.

184
MCQmedium

A user wants to run a one-time batch job that runs to completion. Which Kubernetes resource should they use?

A.Job
B.StatefulSet
C.DaemonSet
D.Deployment
AnswerA

Jobs manage pods that run to completion.

Why this answer

A Job is designed to run a specified number of pods to successful completion, ideal for batch processing.

185
Multi-Selectmedium

Which TWO components are part of the Kubernetes control plane? (Select exactly two.)

Select 2 answers
A.kube-proxy
B.kubelet
C.container runtime
D.kube-apiserver
E.kube-scheduler
AnswersD, E

API server is a control plane component.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane, exposing the Kubernetes API for all cluster operations. The kube-scheduler is responsible for assigning newly created pods to nodes based on resource availability and policy constraints. Both are essential control plane components that manage cluster state and scheduling decisions.

Exam trap

CNCF often tests the distinction between control plane and worker node components, and the trap here is that candidates confuse kube-proxy or kubelet (which run on every node) with control plane components because they are essential for cluster operation, but they are not part of the control plane itself.

186
MCQhard

A Kubernetes cluster has multiple worker nodes. You create a Pod without any node selector. The scheduler places the pod on a node, but the pod remains in 'Pending' state. 'kubectl describe pod' shows '0/1 nodes are available: 1 node had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What does this indicate?

A.The node has a taint that the pod does not tolerate
B.The pod has a resource request that exceeds the node's capacity
C.The node is cordoned and should be uncordoned
D.The node is out of disk space
AnswerA

The error explicitly states the node had a taint that the pod didn't tolerate.

Why this answer

The node is tainted, and the pod lacks the corresponding toleration. The scheduler cannot schedule the pod on that node.

187
MCQhard

A user reports that their application's DNS resolution is failing for a Service named 'my-service' in the same namespace. They are able to reach the Service by its cluster IP. Which of the following is the most likely cause?

A.The application container is using an incorrect DNS policy
B.The kube-proxy is misconfigured on the node
C.The CoreDNS pod is not running or misconfigured
D.The Service is of type ExternalName
AnswerC

CoreDNS is responsible for DNS resolution for Services. If CoreDNS is down or misconfigured, DNS queries for Services will fail.

Why this answer

Option C is correct because DNS resolution for a Service in the same namespace relies on CoreDNS, which is the cluster DNS provider in Kubernetes. If CoreDNS is not running or misconfigured, DNS queries for the Service name (e.g., 'my-service') will fail, even though the Service is reachable via its cluster IP. The user's ability to reach the Service by IP confirms that kube-proxy and networking are functional, isolating the issue to DNS resolution.

Exam trap

CNCF often tests the distinction between DNS resolution and Service reachability, trapping candidates who assume that a DNS failure must be caused by the application's DNS policy rather than the cluster DNS service itself.

How to eliminate wrong answers

Option A is wrong because an incorrect DNS policy (e.g., ClusterFirstWithHostNet or None) would affect how the container resolves names, but it would not cause a complete failure for a Service in the same namespace if CoreDNS is healthy; the user can still reach the Service by IP, indicating the DNS policy is not the primary issue. Option B is wrong because kube-proxy is responsible for implementing Service IP-to-Pod routing via iptables or IPVS; since the user can reach the Service by its cluster IP, kube-proxy is functioning correctly. Option D is wrong because a Service of type ExternalName returns a CNAME record, not a cluster IP; the user can reach the Service by its cluster IP, so the Service cannot be of type ExternalName.

188
MCQhard

An application is deployed across multiple cloud providers (AWS and GCP) to avoid vendor lock-in. This is an example of which pattern?

A.Public cloud
B.Federated cloud
C.Hybrid cloud
D.Multi-cloud
AnswerD

Multi-cloud involves using multiple public cloud providers.

Why this answer

Multi-cloud refers to using services from multiple cloud providers simultaneously.

189
MCQmedium

A Service of type ClusterIP is created. What is the default behavior of this Service?

A.It exposes the Service externally via a cloud load balancer
B.It exposes the Service on a static port on each node
C.It routes traffic to Pods based on external DNS names
D.It exposes the Service on a cluster-internal IP
AnswerD

ClusterIP is the default and provides internal connectivity only.

Why this answer

Option D is correct because a ClusterIP Service is the default Kubernetes Service type, which assigns a virtual IP address reachable only within the cluster. Traffic sent to this IP is load-balanced across the Pods selected by the Service's label selector, using iptables or IPVS rules. No external access is provided unless an Ingress or other mechanism is explicitly configured.

Exam trap

The trap here is that candidates often confuse the default Service type (ClusterIP) with NodePort or LoadBalancer, assuming a Service must be externally accessible by default, but Kubernetes intentionally isolates ClusterIP Services to internal cluster traffic only.

How to eliminate wrong answers

Option A is wrong because exposing a Service externally via a cloud load balancer is the behavior of a Service of type LoadBalancer, not ClusterIP. Option B is wrong because exposing the Service on a static port on each node is the behavior of a Service of type NodePort, which opens a high-port on every node's IP. Option C is wrong because routing traffic based on external DNS names is not a native Service behavior; DNS-based routing is typically handled by an Ingress controller or external DNS integration, not by a ClusterIP Service.

190
MCQmedium

What type of Prometheus metric is best suited to count the total number of HTTP requests received by a service?

A.Histogram
B.Gauge
C.Summary
D.Counter
AnswerD

Counter is a cumulative metric that increases monotonically, suitable for counting requests.

Why this answer

A counter is a cumulative metric that can only increase or be reset to zero, ideal for counting events like requests.

191
MCQmedium

Which tool is specifically designed for log aggregation and is built by Grafana Labs as a lightweight, cost-effective alternative to traditional log systems?

A.Loki
B.Zipkin
C.Prometheus
D.Jaeger
AnswerA

Correct. Loki is a log aggregation system from Grafana Labs.

Why this answer

Loki is a log aggregation system optimized for Kubernetes, designed to be cost-effective and easy to operate.

192
MCQmedium

You are troubleshooting a service that is not accessible from within the cluster. The service has a label selector that matches the pods. You run 'kubectl get endpoints myservice' and see that the ENDPOINTS column is empty. What is the most likely cause?

A.The kube-proxy is not running
B.The service's label selector does not match any pods
C.The service is in a different namespace
D.The service type is LoadBalancer and no external load balancer is provisioned
AnswerB

Endpoints are created for pods matching the selector; if none match, endpoints are empty.

Why this answer

An empty endpoints list indicates that the service's label selector does not match any pods, or the pods are not ready.

193
MCQmedium

Which field in a Deployment YAML specifies the number of pod replicas?

A.spec.replicas
B.spec.template.spec.replicas
C.spec.replicaCount
D.spec.selector.matchLabels
AnswerA

This is the correct field.

Why this answer

The 'replicas' field under 'spec' determines how many pod instances should be running.

194
Multi-Selectmedium

Which TWO of the following are Prometheus metric types? (Select two.)

Select 2 answers
A.Event
B.Gauge
C.Set
D.Counter
E.Timer
AnswersB, D

Gauge represents a single numerical value that can go up and down.

Why this answer

Prometheus metric types include Counter, Gauge, Histogram, and Summary. Options A and B are correct.

195
MCQhard

A team wants to set up alerts when a Kubernetes pod consumes more than 90% of its memory limit for over 5 minutes. They use Prometheus and Alertmanager. Which Prometheus query would trigger an alert for a specific pod named 'web-app' in the 'default' namespace?

A.container_memory_usage_bytes{pod='web-app'} > 0.9
B.container_memory_usage_bytes{pod='web-app'} / container_spec_memory_limit_bytes{pod='web-app'} > 0.9
C.avg(container_memory_usage_bytes{pod='web-app'}) > 0.9
D.container_memory_limit_bytes{pod='web-app'} > 0.9
AnswerB

This calculates the percentage of memory used relative to the limit.

Why this answer

The correct query divides container memory usage by its limit and compares to 0.9.

196
Multi-Selecthard

Which TWO of the following are features of a service mesh like Istio or Linkerd? (Select 2)

Select 2 answers
A.Container image building
B.Traffic management (routing, load balancing)
C.Observability (metrics, tracing, logs)
D.Service discovery
E.Auto-scaling of services
AnswersB, C

Service mesh enables fine-grained traffic management.

Why this answer

Service mesh provides observability (metrics, tracing, logs) and traffic management (routing, load balancing). Auto-scaling is not a service mesh feature; it's handled by Kubernetes HPA or Knative. Service discovery is also not a direct feature of service mesh; it's typically provided by Kubernetes DNS.

197
MCQeasy

What is the purpose of values.yaml in a Helm chart?

A.To specify the chart metadata
B.To define the Kubernetes resources to create
C.To define the release name
D.To store default configuration values for the chart
AnswerD

values.yaml holds default parameters.

Why this answer

values.yaml provides default configuration values that can be overridden at install/upgrade time.

198
MCQmedium

In Kustomize, what is the purpose of an overlay?

A.To apply environment-specific customizations on top of a base
B.To merge multiple Kubernetes manifests into one
C.To template variables into YAML files
D.To define the base configuration of an application
AnswerA

Overlays use patches to modify the base for specific environments.

Why this answer

Kustomize overlays allow customizing a base configuration for different environments (e.g., dev, prod) by applying patches without modifying the base.

199
MCQmedium

You need to update a Deployment's container image from nginx:1.14 to nginx:1.16 and ensure zero downtime. Which kubectl command should you use?

A.kubectl set image deployment/my-deployment nginx=nginx:1.16
B.kubectl patch deployment my-deployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"nginx","image":"nginx:1.16"}]}}}}'
C.kubectl edit deployment my-deployment --image=nginx:1.16
D.kubectl update deployment my-deployment --image=nginx:1.16
AnswerA

This command updates the container image and triggers a rolling update.

Why this answer

The 'set image' command updates the container image for a Deployment, triggering a rolling update by default.

200
MCQmedium

A DevOps team wants to implement GitOps for their Kubernetes cluster. Which tool is specifically designed for Kubernetes GitOps and can automatically sync the cluster state with a Git repository?

A.ArgoCD
B.Jenkins
C.Kustomize
D.Helm
AnswerA

Why this answer

ArgoCD is a GitOps tool that continuously monitors a Git repository and syncs the cluster state. Flux is also a GitOps tool but the question asks for a tool specifically designed for Kubernetes GitOps; both are valid, but ArgoCD is more commonly associated with the term 'GitOps'. Option A (Helm) is a package manager.

Option B (Kustomize) is a configuration management tool. Option D (Jenkins) is a CI/CD tool but not GitOps-native.

201
Multi-Selecthard

Which TWO of the following are valid methods to expose a set of pods to external traffic in Kubernetes?

Select 2 answers
A.LoadBalancer Service
B.NodePort Service
C.Headless Service
D.ClusterIP Service
E.Ingress
AnswersA, B

Provisions an external load balancer.

Why this answer

A LoadBalancer Service is a valid method to expose pods to external traffic because it provisions an external load balancer (e.g., AWS ELB, GCP LB) that assigns a public IP address, routing external traffic to the Service's ClusterIP and then to the pods. This is a standard Kubernetes Service type defined in the ServiceSpec, making it correct for external exposure.

Exam trap

Cisco often tests the distinction between 'exposing pods' and 'routing traffic' — the trap here is that candidates mistakenly select Ingress as a direct exposure method, when in fact Ingress only defines routing rules and relies on a Service (like NodePort or LoadBalancer) to actually make pods reachable from outside the cluster.

202
MCQhard

You have a Deployment with 3 replicas. You need to perform a rolling update with 2 extra pods during the update and ensure that only 1 pod is unavailable at any time. Which update strategy configuration achieves this?

A.maxSurge: 1, maxUnavailable: 2
B.maxSurge: 0, maxUnavailable: 2
C.maxSurge: 3, maxUnavailable: 0
D.maxSurge: 2, maxUnavailable: 1
AnswerD

Why this answer

The maxSurge field controls how many extra pods can be created above the desired count during an update. maxUnavailable controls how many pods can be unavailable. To have 2 extra pods (maxSurge=2) and only 1 unavailable (maxUnavailable=1), the correct configuration is maxSurge=2, maxUnavailable=1.

203
Multi-Selecteasy

Which two of the following are benefits of using Kubernetes for container orchestration? (Select TWO.)

Select 2 answers
A.Integrated continuous integration pipeline
B.Automatic code compilation
C.Self-healing: automatically restarts failed containers
D.Built-in database management
E.Automated rollouts and rollbacks
AnswersC, E

Kubernetes replaces containers that fail.

Why this answer

Kubernetes provides self-healing and automated scaling.

204
MCQhard

Which of the following patterns is used to improve resilience by isolating failures to a subset of components?

A.Timeout
B.Retry
C.Circuit breaker
D.Bulkhead
AnswerD

Why this answer

The Bulkhead pattern (D) is correct because it isolates failures by partitioning resources (e.g., thread pools, connections) into separate pools for different components or services. This prevents a failure in one component from exhausting shared resources and cascading to others, directly improving resilience by containing the blast radius.

Exam trap

CNCF often tests the distinction between patterns that prevent cascading failures (Bulkhead) versus patterns that handle transient failures (Retry/Timeout) or protect against repeated failures (Circuit Breaker), leading candidates to confuse the goal of isolation with failure detection or recovery.

How to eliminate wrong answers

Option A is wrong because Timeout is a pattern that limits the wait time for a response, preventing indefinite hangs, but it does not isolate failures to a subset of components—it only terminates slow operations. Option B is wrong because Retry is a pattern that automatically reattempts a failed operation, which can help with transient failures but does not isolate failures; in fact, it can exacerbate resource exhaustion if not combined with other patterns. Option C is wrong because Circuit Breaker is a pattern that monitors for failures and stops requests to a failing service to allow recovery, but it does not isolate failures to a subset of components—it protects callers from a failing dependency, not partition resources across components.

205
Multi-Selecteasy

Which TWO statements about container images are correct? (Choose two.)

Select 2 answers
A.Images are always pulled from a private registry
B.Each layer is identified by a unique hash
C.Images can be modified at runtime by writing to the container layer
D.Images are built from a series of read-only layers
E.Images are stored on the host filesystem after being pulled
AnswersB, D

Layers are content-addressable and identified by their digest.

Why this answer

Option B is correct because each layer in a container image is identified by a unique content-addressable hash (typically a SHA-256 digest). This hash is computed from the layer's contents and metadata, ensuring integrity and enabling layer caching and deduplication across images. The hash is used in the image manifest (as defined by the OCI Image Specification) to reference each layer uniquely.

Exam trap

CNCF often tests the misconception that images are stored directly on the host filesystem like regular files, when in reality they are stored in a runtime-managed cache (e.g., /var/lib/docker) and are not directly accessible as ordinary files.

206
MCQmedium

A pod spec includes a liveness probe that runs 'cat /tmp/healthy'. The probe is configured with initialDelaySeconds: 10, periodSeconds: 5. At what point does the kubelet first execute the probe?

A.Immediately after the pod is created
B.Only when the container is unhealthy
C.5 seconds after the container starts
D.10 seconds after the container starts
AnswerD

The initialDelaySeconds of 10 means the probe is first executed 10 seconds after the container starts.

Why this answer

The kubelet first executes the liveness probe 10 seconds after the container starts because `initialDelaySeconds: 10` tells the kubelet to wait that long before initiating the first probe. The `periodSeconds: 5` only defines the interval between subsequent probes, not the initial delay. This ensures the container has time to start and create the `/tmp/healthy` file before being checked.

Exam trap

The trap here is confusing `initialDelaySeconds` with `periodSeconds`, leading candidates to think the probe runs after 5 seconds (the period) instead of 10 seconds (the initial delay).

How to eliminate wrong answers

Option A is wrong because the kubelet does not execute probes immediately after pod creation; it waits for the container to start and then applies `initialDelaySeconds`. Option B is wrong because liveness probes are executed periodically regardless of container health, not only when the container is unhealthy; the probe itself determines health. Option C is wrong because `periodSeconds: 5` controls the interval between probes after the first one, not the initial delay; the first probe occurs after `initialDelaySeconds`, which is 10 seconds.

207
MCQmedium

Which DORA metric measures the percentage of deployments that cause a failure in production?

A.Lead time for changes
B.Mean time to recover (MTTR)
C.Change failure rate
D.Deployment frequency
AnswerC

Change failure rate is the percentage of deployments causing failure.

Why this answer

Change failure rate is the percentage of deployments that result in degraded service or require remediation.

208
MCQhard

A developer wants to inject environment variables into a pod from a ConfigMap named 'app-config'. Which YAML snippet correctly mounts all key-value pairs from the ConfigMap as environment variables?

A.env: - name: CONFIG value: "$(CONFIGMAP)"
B.envFrom: - configMapRef: name: app-config
C.volumes: - name: config configMap: name: app-config volumeMounts: - name: config mountPath: /etc/config
D.env: - name: CONFIG valueFrom: configMapKeyRef: name: app-config key: config.yaml
AnswerB

This mounts all keys from the ConfigMap as environment variables.

Why this answer

Option B is correct because `envFrom` with a `configMapRef` injects all key-value pairs from the ConfigMap named 'app-config' as environment variables into the container. This is the standard Kubernetes method for bulk injection of ConfigMap data into environment variables, as opposed to selecting individual keys.

Exam trap

The trap here is that candidates often confuse `envFrom` (bulk injection) with `env` + `configMapKeyRef` (single key injection) or volume mounts (file-based injection), leading them to pick options that inject only one key or mount files instead of environment variables.

How to eliminate wrong answers

Option A is wrong because `env` with `value: "$(CONFIGMAP)"` is not valid syntax; Kubernetes does not support referencing a ConfigMap via a variable expansion like `$(CONFIGMAP)` — it requires explicit `valueFrom` or `envFrom`. Option C is wrong because it mounts the ConfigMap as a volume at `/etc/config`, which injects keys as files, not as environment variables — this does not satisfy the requirement to inject them as environment variables. Option D is wrong because it uses `env` with `configMapKeyRef` to inject only a single key (`config.yaml`) from the ConfigMap, not all key-value pairs.

209
MCQeasy

Which of the following is considered one of the three pillars of observability?

A.Events
B.Metrics
C.Alerts
D.Profiles
AnswerB

Metrics are one of the three pillars of observability, along with logs and traces.

Why this answer

The three pillars of observability in cloud native environments are logs, metrics, and traces.

210
MCQmedium

A DevOps team notices that a new deployment of a web application is not receiving traffic even though the pods are running. The deployment has a selector matching the pod labels, and a Service of type ClusterIP exists. What is the most likely cause?

A.The Service's targetPort does not match the container's containerPort.
B.The pods do not have a readiness probe defined.
C.The Service type should be NodePort to receive traffic.
D.The Service is not exposed via an Ingress.
AnswerA

The Service routes traffic to the targetPort, which must match the port the container listens on.

Why this answer

The most likely cause is that the Service's targetPort does not match the container's containerPort. In Kubernetes, a Service routes traffic to pods by forwarding packets to the port specified in the Service's `targetPort` field. If this does not match the `containerPort` defined in the pod's container spec, the traffic will be dropped because the kube-proxy will forward packets to a closed port on the pod, resulting in no connectivity even though the pods are running.

Exam trap

The trap here is that candidates often confuse the Service's `port` (the port the Service listens on) with `targetPort` (the port on the pod), assuming they must match, or they incorrectly attribute the issue to missing readiness probes or Ingress resources.

How to eliminate wrong answers

Option B is wrong because a readiness probe controls whether a pod is considered ready to receive traffic, but its absence does not prevent traffic from being sent to the pod; it simply means the pod will always be considered ready. Option C is wrong because a Service of type ClusterIP is perfectly capable of receiving traffic within the cluster; NodePort is only needed for external access from outside the cluster, not for internal traffic. Option D is wrong because an Ingress is an optional API object for HTTP/HTTPS routing and is not required for a ClusterIP Service to receive traffic; the Service itself can be accessed directly via its cluster IP.

211
MCQeasy

A developer wants to run a one-time batch job that processes a queue and then terminates. Which Kubernetes resource should they use?

A.Job
B.StatefulSet
C.Deployment
D.DaemonSet
AnswerA

Jobs run pods until successful completion.

Why this answer

A Kubernetes Job is designed for finite, batch-oriented tasks that run to completion, such as processing a queue and then terminating. Unlike controllers that maintain a desired state (like Deployments or StatefulSets), a Job creates one or more Pods and ensures they successfully exit, making it the correct choice for a one-time batch job.

Exam trap

The trap here is that candidates confuse a Job with a Deployment, assuming that any workload that 'runs' must be a Deployment, but Deployments are designed for long-running services and will restart terminated Pods, whereas a Job is the correct resource for workloads that should run to completion and then stop.

How to eliminate wrong answers

Option B (StatefulSet) is wrong because it is used for stateful applications that require stable, unique network identities and persistent storage, not for one-time batch jobs. Option C (Deployment) is wrong because it manages a set of Pods intended to run continuously (e.g., web servers) and will restart Pods if they exit, which is the opposite of a terminating batch job. Option D (DaemonSet) is wrong because it ensures that a copy of a Pod runs on every node (or a subset of nodes) in the cluster, typically for long-running system services like log collectors or monitoring agents, not for one-time tasks.

212
MCQmedium

A Kubernetes cluster has a single control plane node and two worker nodes. The control plane node fails. What is the immediate impact on the workloads running on the worker nodes?

A.All workloads will stop immediately
B.Existing workloads continue running, but no new pods can be scheduled
C.The kubelet on worker nodes will restart all pods
D.Workloads will be automatically migrated to another cluster
AnswerB

The kubelet on worker nodes keeps existing pods running, but the scheduler cannot assign new pods without the control plane.

Why this answer

Option B is correct because in Kubernetes, the control plane is responsible for scheduling new pods and maintaining desired state via the API server, controller manager, and scheduler. When the control plane fails, the kubelets on worker nodes continue to run existing pods based on their local state, but the scheduler cannot assign new pods to nodes, and the API server is unavailable for updates or scaling operations.

Exam trap

CNCF often tests the misconception that the control plane is required for all pod operations, leading candidates to assume workloads stop immediately, when in fact the kubelet provides resilience for existing pods.

How to eliminate wrong answers

Option A is wrong because existing workloads are managed by the kubelet on each worker node, which runs pods independently of the control plane; they do not stop immediately. Option C is wrong because the kubelet does not restart all pods upon control plane failure; it only restarts pods that have failed according to its local restart policy, not as a reaction to the control plane being down. Option D is wrong because Kubernetes does not automatically migrate workloads to another cluster; migration requires manual intervention or a multi-cluster management tool like KubeFed or a service mesh.

213
MCQmedium

What is the purpose of a Readiness Probe in a Kubernetes pod?

A.To ensure the pod is scheduled on a specific node
B.To restart the container if it becomes unresponsive
C.To check if the container is ready to start accepting traffic
D.To check if the container is running
AnswerC

Readiness probe signals readiness to serve.

Why this answer

A Readiness Probe indicates whether a pod is ready to serve traffic; if it fails, the pod is removed from Service endpoints.

214
Multi-Selectmedium

Which TWO resources can be used to store configuration data separately from container images?

Select 2 answers
A.Service
B.PersistentVolume
C.Secret
D.Deployment
E.ConfigMap
AnswersC, E

Secrets store sensitive data like passwords or tokens.

Why this answer

ConfigMaps and Secrets are Kubernetes API objects designed specifically to decouple configuration data and sensitive information from container images. ConfigMaps store non-sensitive key-value pairs (e.g., environment variables, command-line arguments, or configuration files), while Secrets store sensitive data (e.g., passwords, tokens, or SSH keys) in base64-encoded or encrypted form. Both can be mounted into pods as volumes or injected as environment variables, allowing image reuse across different environments without rebuilding.

Exam trap

CNCF often tests the distinction between storage for configuration data (ConfigMaps/Secrets) vs. storage for application data (PersistentVolumes), so candidates mistakenly select PersistentVolume thinking it can store config files, but it is intended for stateful workloads like databases, not for decoupling configuration from images.

215
MCQmedium

Which Kubernetes command displays the current state of a pod, including its IP address, node, and container statuses?

A.kubectl get pod -o wide
B.kubectl describe pod
C.kubectl logs pod
D.kubectl get pod
AnswerA

The -o wide flag adds details such as node and IP.

Why this answer

Option A is correct because `kubectl get pod -o wide` extends the default output to include additional columns such as the pod's IP address, the node it is scheduled on, and the container statuses (e.g., READY state). This command queries the Kubernetes API server for the pod's current state and formats the response with extra details, making it the most direct way to view the pod's IP and node assignment in a single line.

Exam trap

The trap here is that candidates often assume `kubectl get pod` alone shows all relevant pod details, but Cisco tests the specific requirement for the `-o wide` flag to expose the pod IP and node fields, which are hidden in the default output.

How to eliminate wrong answers

Option B is wrong because `kubectl describe pod` provides a detailed, multi-line description of a pod, including its IP address, node, and container statuses, but it is not a single-line display of the current state; it is a verbose output meant for troubleshooting, not a concise summary. Option C is wrong because `kubectl logs pod` retrieves the container logs from the pod's stdout/stderr, not the pod's state, IP address, or node information; it is used for debugging application output, not for inspecting pod metadata. Option D is wrong because `kubectl get pod` (without `-o wide`) displays only the basic columns (NAME, READY, STATUS, RESTARTS, AGE) and omits the pod IP and node fields, which are only added with the `-o wide` output format.

216
MCQhard

Refer to the exhibit. A pod 'my-pod' shows repeated 'BackOff' events after the container starts. Which is the most likely cause?

A.The image 'myapp:v2' does not exist.
B.The container exceeds its memory limit.
C.The liveness probe is failing.
D.The application crashes shortly after starting.
AnswerD

Correct; the container starts but then crashes, leading to restart backoff.

Why this answer

The 'BackOff' event in Kubernetes indicates that the container has started but repeatedly crashes, causing the kubelet to increase the restart delay. Option D is correct because an application that crashes shortly after starting will trigger this restart loop, as the container exits with a non-zero exit code, leading to exponential backoff.

Exam trap

Cisco often tests the distinction between 'ImagePullBackOff' (image not found) and 'CrashLoopBackOff' (container crashes after start), so candidates must recognize that 'BackOff' events after the container starts point to a runtime crash, not a pull failure.

How to eliminate wrong answers

Option A is wrong because if the image 'myapp:v2' does not exist, the pod would show 'ErrImagePull' or 'ImagePullBackOff' events, not 'BackOff' after the container starts. Option B is wrong because exceeding the memory limit causes an 'OOMKilled' status and a container restart, but the event would typically be 'OOMKilled' or 'CrashLoopBackOff', not specifically 'BackOff' after a successful start. Option C is wrong because a failing liveness probe results in the container being killed and restarted, but the event would be 'Unhealthy' or 'Liveness probe failed', and the pod would show 'CrashLoopBackOff' rather than 'BackOff' immediately after start.

217
MCQmedium

Which of the following is a correct YAML structure for a Service of type ClusterIP?

A.apiVersion: v1 kind: Service metadata: name: my-service spec: selector: app: myapp ports: - port: 80
B.apiVersion: v1 kind: Pod metadata: name: my-service spec: selector: app: myapp ports: - port: 80
C.apiVersion: apps/v1 kind: Service metadata: name: my-service spec: selector: app: myapp ports: - port: 80
D.apiVersion: v1 kind: Service metadata: name: my-service spec: app: myapp ports: - port: 80
AnswerA

This is a valid Service manifest.

Why this answer

A valid Service YAML includes apiVersion: v1, kind: Service, metadata, and spec with selector and ports.

218
MCQhard

You have a microservices application where Service A needs to communicate with Service B running in a different namespace ('backend'). Both namespaces have a NetworkPolicy that denies all ingress by default. You create a NetworkPolicy in the 'backend' namespace allowing ingress from pods with label 'app: frontend'. What else is needed for Service A to reach Service B?

A.Ensure Service A's pod has the label 'app: frontend' on its pod spec
B.Add a similar NetworkPolicy in the 'default' namespace allowing egress to the 'backend' namespace
C.Change the NetworkPolicy to allow all ingress traffic from any source
D.Add a label to the 'default' namespace matching the NetworkPolicy's namespaceSelector
AnswerA

The NetworkPolicy uses podSelector to match pods with label 'app: frontend'. Service A's pod must have this label to be allowed ingress into the backend namespace.

Why this answer

Option A is correct because NetworkPolicies use pod selectors to determine which pods are allowed to send or receive traffic. By default, a NetworkPolicy that allows ingress from pods with label 'app: frontend' will only match pods in the same namespace unless a namespaceSelector is also specified. Since Service A is in a different namespace, the only way to match the ingress rule is to ensure Service A's pod carries the label 'app: frontend'.

This satisfies the podSelector in the NetworkPolicy, allowing traffic from that specific pod to Service B.

Exam trap

CNCF often tests the misconception that NetworkPolicy podSelectors automatically apply across namespaces, when in fact they are namespace-scoped unless combined with a namespaceSelector.

How to eliminate wrong answers

Option B is wrong because egress policies are not required for Service A to reach Service B unless the 'default' namespace has a NetworkPolicy that explicitly denies egress; the question states only ingress is denied by default, so no egress policy is needed. Option C is wrong because it suggests allowing all ingress traffic from any source, which would bypass the intended security restriction and is unnecessary; the existing policy already correctly restricts ingress to pods with the required label. Option D is wrong because namespaceSelector is used to select pods from entire namespaces, not to label the namespace itself; adding a label to the 'default' namespace does not affect the podSelector in the NetworkPolicy, which operates on pod labels, not namespace labels.

219
MCQmedium

Which log aggregation tool is designed specifically for Kubernetes and is often used as a lightweight alternative to Fluentd?

A.Logstash
B.Fluent Bit
C.Loki
D.Elasticsearch
AnswerB

Fluent Bit is lightweight and designed for Kubernetes.

Why this answer

Fluent Bit is a lightweight log processor and forwarder, often used in Kubernetes.

220
MCQmedium

A developer wants to deploy a stateless web application that should maintain three running instances at all times. Which Kubernetes resource should they use?

A.Job
B.Deployment
C.StatefulSet
D.DaemonSet
AnswerB

Deployment manages ReplicaSets to maintain a desired number of replicas and supports rolling updates.

Why this answer

A Deployment manages a ReplicaSet to ensure the desired number of pod replicas are running, supports rolling updates, and is ideal for stateless applications.

221
MCQhard

You create a Pod with a liveness probe that uses an HTTP GET on port 8080, path /healthz. The probe fails after the container starts. What will happen to the Pod?

A.The Pod will be marked as Unhealthy and removed from Service endpoints
B.The container will be restarted automatically
C.The Pod will be evicted from the node
D.The Pod will be deleted and recreated on a different node
AnswerB

Liveness probe failure triggers container restart.

Why this answer

A liveness probe indicates whether the container is running. If it fails, kubelet restarts the container according to the pod's restartPolicy.

222
MCQmedium

You have a Deployment that manages 3 replicas of a web application. You want to perform a rolling update with zero downtime. Which kubectl command should you use?

A.kubectl set image deployment/myapp mycontainer=myimage:v2
B.kubectl delete pod myapp-xyz --grace-period=0
C.kubectl patch deployment myapp -p '{"spec":{"replicas":5}}'
D.kubectl rollout undo deployment/myapp
AnswerA

This updates the container image and triggers a rolling update.

Why this answer

The 'kubectl set image deployment/myapp mycontainer=myimage:v2' command updates the container image and triggers a rolling update defined by the deployment's strategy.

223
MCQeasy

Refer to the exhibit. How many containers are defined in this Pod?

A.2
B.1
C.3
D.0
AnswerA

The YAML defines two containers.

Why this answer

The exhibit shows a Pod manifest with two container definitions under the `containers` field: one named `nginx` and one named `sidecar`. In Kubernetes, the number of containers in a Pod is determined by counting the entries in the `spec.containers` list, not including init containers or ephemeral containers unless explicitly specified. Therefore, the correct answer is 2.

Exam trap

The trap here is that candidates may miscount containers by including init containers or ephemeral containers, or mistakenly think the number of images referenced equals the number of containers, when the manifest explicitly lists only two containers in the `containers` array.

How to eliminate wrong answers

Option B is wrong because it assumes only one container is defined, but the manifest clearly lists two container entries under `spec.containers`. Option C is wrong because it suggests three containers, which would require a third entry in the `containers` list or additional init containers, neither of which is present. Option D is wrong because a Pod must have at least one container to be valid; the manifest explicitly defines two containers, so zero is incorrect.

224
Multi-Selecthard

Which TWO of the following are characteristics of serverless computing?

Select 2 answers
A.Manual server provisioning
B.Long-running processes
C.Event-driven execution
D.Auto-scaling to zero when not in use
E.Reserved capacity for predictable workloads
AnswersC, D

Functions are triggered by events.

Why this answer

Serverless computing is event-driven and auto-scales to zero when idle. Long-running processes are not suitable, and you do not manage the underlying servers. Reserved capacity is a concept for traditional cloud.

225
MCQhard

A Deployment manages 3 replicas of a pod. During a rolling update, one of the new pods enters CrashLoopBackOff. What happens next?

A.The Deployment deletes all pods and recreates them
B.The Deployment automatically reverts to the previous ReplicaSet
C.The Deployment continues the rollout, ignoring the failure
D.The Deployment pauses the rollout and waits for manual intervention
AnswerD

The Deployment controller will not proceed with the update if the new pod fails readiness checks.

Why this answer

Option D is correct because, by default, a Deployment's rolling update strategy has a `progressDeadlineSeconds` setting (default 600 seconds) and a `maxUnavailable`/`maxSurge` configuration. When a new pod enters CrashLoopBackOff, the Deployment's controller detects that the update is not making progress (the new ReplicaSet cannot reach the desired replica count with healthy pods). After the progress deadline expires, the Deployment marks the rollout as failed and pauses the update, requiring manual intervention (e.g., `kubectl rollout undo` or fixing the pod template).

This behavior is governed by the Deployment controller's reconciliation loop and the `Progressing` condition.

Exam trap

CNCF often tests the misconception that a Deployment automatically rolls back on failure, but in reality, it only pauses after a progress deadline, requiring manual rollback or correction.

How to eliminate wrong answers

Option A is wrong because a Deployment does not delete all pods and recreate them during a rolling update; it incrementally replaces pods by scaling up the new ReplicaSet and scaling down the old one, preserving overall availability. Option B is wrong because the Deployment does not automatically revert to the previous ReplicaSet; it only pauses the rollout after a progress deadline, and an explicit rollback (e.g., `kubectl rollout undo`) is required to revert. Option C is wrong because the Deployment does not ignore the failure; it respects the `progressDeadlineSeconds` and pauses the rollout when progress stalls, such as when a new pod is in CrashLoopBackOff.

Page 2

Page 3 of 14

Page 4