Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 226300

997 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
Multi-Selecteasy

Which TWO of the following are benefits of using Helm for application delivery?

Select 2 answers
A.Automatic scaling based on CPU usage
B.Ability to roll back to previous releases
C.Automatic canary deployments
D.Simplified packaging and templating of Kubernetes resources
E.Built-in monitoring and alerting
AnswersB, D

Helm tracks releases and supports rollback with helm rollback.

Why this answer

Helm manages Kubernetes application releases as packaged charts. The `helm rollback` command allows you to revert to a previous revision of a release, which is a core benefit for safe application delivery and disaster recovery. This capability is built into Helm's release management system, which tracks each deployment as a revision with a unique version number.

Exam trap

CNCF often tests the distinction between Helm's release management features and Kubernetes-native or third-party operational features, so candidates mistakenly attribute capabilities like autoscaling or canary deployments to Helm because they see Helm used in CI/CD pipelines alongside those tools.

227
MCQmedium

A pod is stuck in 'Pending' state. You run 'kubectl describe pod mypod' and see the event '0/4 nodes are available: 4 Insufficient cpu'. What is the most likely cause?

A.The pod has exceeded its memory limit
B.The pod's image pull is failing
C.None of the nodes have enough CPU resources to satisfy the pod's request
D.The pod's liveness probe is failing
AnswerC

The event indicates insufficient CPU on all nodes.

Why this answer

The scheduler cannot place the pod because no node has enough available CPU to meet the pod's request.

228
MCQhard

When using a Service of type ClusterIP, how do pods reach the service?

A.Via the service's cluster IP and port
B.Via the node's IP address and a high port
C.Via an external load balancer
D.Directly via the pod's IP address
AnswerA

Pods connect to the service's cluster IP and port, which kube-proxy forwards to healthy pods.

Why this answer

A Service of type ClusterIP exposes a stable virtual IP (the cluster IP) and port within the cluster. Pods reach the Service by sending traffic to this cluster IP and port, which is then load-balanced by kube-proxy (using iptables, IPVS, or eBPF rules) to one of the backing pod endpoints. This is the default and most fundamental Service type in Kubernetes.

Exam trap

CNCF often tests the misconception that ClusterIP Services are only reachable from within the same pod or node, when in fact they are reachable from any pod in the cluster (across nodes) via the cluster IP, thanks to kube-proxy's distributed routing rules.

How to eliminate wrong answers

Option B is wrong because reaching a Service via the node's IP address and a high port is the behavior of a NodePort Service, not ClusterIP. Option C is wrong because an external load balancer is used by a LoadBalancer Service, which is built on top of NodePort and ClusterIP, not by ClusterIP itself. Option D is wrong because pods do not reach the Service directly via a pod's IP address; that would bypass the Service abstraction and load balancing, and the Service's cluster IP is the intended stable endpoint.

229
MCQmedium

A Deployment is created with `replicas: 3`. After applying the manifest, only 2 pods are running and one is in Pending state. What is the most likely reason?

A.The Service selector does not match
B.The Deployment name is misspelled
C.There are insufficient resources on the nodes
D.The container image is invalid
AnswerC

Pending often indicates insufficient CPU or memory to schedule the pod.

Why this answer

When a Pod remains in Pending state, it means the scheduler cannot find a node that satisfies the Pod's resource requirements (CPU, memory, or other constraints). Since two Pods are running successfully, the Deployment configuration (image, name, selector) is valid, and the issue is that the cluster lacks sufficient capacity to schedule the third replica. The scheduler continuously evaluates node resources and will leave the Pod pending until resources become available or the request is adjusted.

Exam trap

CNCF often tests the distinction between Pod lifecycle phases (Pending vs. CrashLoopBackOff vs. ImagePullBackOff) to see if candidates confuse scheduling failures with runtime or image errors.

How to eliminate wrong answers

Option A is wrong because a Service selector mismatch would not cause a Pod to be in Pending state; it would affect traffic routing but not Pod scheduling or creation. Option B is wrong because a misspelled Deployment name would cause the manifest to fail at creation time or create a separate resource, not result in a partially running Deployment with two Pods. Option D is wrong because an invalid container image would cause the Pod to enter ImagePullBackOff or ErrImagePull state, not Pending; Pending occurs before the container runtime attempts to pull the image.

230
MCQeasy

Which component on a worker node is responsible for enforcing the desired state of pods as defined in the pod specification?

A.kube-scheduler
B.kube-proxy
C.container runtime
D.kubelet
AnswerD

Why this answer

The kubelet is the primary node agent that runs on each node. It ensures that containers are running in a pod as described in the pod spec.

231
MCQhard

A pod is stuck in 'Pending' state. Which of the following is NOT a common cause for a pod to remain Pending?

A.Insufficient CPU or memory resources available in the cluster
B.The node selector in the pod spec does not match any node labels
C.The container runtime is not functioning on the node
D.The pod's PVC is not yet bound to a PV
AnswerB

If node selector labels don't match any node, the pod cannot be scheduled and stays Pending.

Why this answer

Option C is correct. A container runtime error typically causes the pod to stay in 'ContainerCreating' or crash, not 'Pending'. Pending usually indicates scheduling issues (insufficient resources, node selector/label mismatch) or storage issues (PVC not bound).

232
MCQhard

Which of the following is a correct way to assign a pod to a specific node using a nodeSelector?

A.spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: ...
B.spec: nodeName: "node1"
C.spec: nodeSelector: [disktype: ssd]
D.spec: nodeSelector: disktype: ssd
AnswerD

This is the correct syntax for nodeSelector.

Why this answer

A nodeSelector is a simple pod spec field that matches node labels. The correct format is a map of key-value pairs under 'spec.nodeSelector'.

233
Multi-Selecthard

Which THREE are valid ways to provide configuration data to a pod in Kubernetes?

Select 3 answers
A.Use an init container to write configuration to a shared volume
B.Mount a ConfigMap as a volume
C.Mount a Secret as a volume
D.Hardcode environment variables in the pod spec that contain sensitive data
E.Use environment variables from a ConfigMap
AnswersB, C, E

ConfigMaps can be mounted as files in a pod.

Why this answer

Option B is correct because a ConfigMap is a Kubernetes API object designed to store non-confidential configuration data in key-value pairs. Mounting a ConfigMap as a volume makes its data available as files in the pod's filesystem, allowing applications to read configuration without hardcoding it into the container image or pod spec. This approach decouples configuration from containerized applications, following the principle of immutable infrastructure.

Exam trap

Cisco often tests the misconception that any method of injecting data into a pod is a 'valid' configuration approach, but the KCNA exam expects you to recognize that only native Kubernetes API objects (ConfigMaps and Secrets) are the recommended and valid ways to provide configuration data, rejecting ad-hoc methods like init container scripts or hardcoded values.

234
MCQeasy

Which Kubernetes primitive is the smallest and simplest unit in the Kubernetes object model that you can create or deploy?

A.ReplicaSet
B.Pod
C.Deployment
D.Container
AnswerB

A Pod is the smallest and simplest Kubernetes object. It represents a single instance of a running process and can contain one or more containers.

Why this answer

A Pod is the smallest deployable unit in Kubernetes, representing a single instance of a running process in the cluster.

235
MCQeasy

What is the primary purpose of Prometheus in cloud native observability?

A.Provide distributed tracing
B.Visualize data
C.Collect and store logs
D.Collect and store metrics
AnswerD

Prometheus is a metrics system.

Why this answer

Prometheus is a metric system that collects and stores numeric time-series data.

236
Multi-Selectmedium

Which THREE of the following are true about container lifecycle? (Choose 3)

Select 3 answers
A.A container can be paused and resumed
B.A container can be hibernated to save state to disk
C.A container goes through a 'built' phase before running
D.A container terminates when its main process exits
E.A container can be stopped and later restarted
AnswersA, D, E

Container runtimes support pausing and resuming containers using cgroups freezer.

Why this answer

A container lifecycle includes creation, running, pausing, and stopping. Containers can be started, stopped, and restarted. Containers do not have a 'built' phase; images are built separately.

Containers run processes; they are not designed to be hibernated.

237
Multi-Selectmedium

Which TWO of the following are characteristics of Kustomize?

Select 2 answers
A.Requires a values.yaml file for configuration
B.Uses a templating engine similar to Helm
C.Supports patching resources via patchesStrategicMerge
D.Can manage dependencies between charts
E.Uses overlays to customize base configurations
AnswersC, E

Kustomize supports strategic merge patches and JSON patches.

Why this answer

Kustomize uses overlays to customize Kubernetes manifests without templating. It does not use values files or require a package manager.

238
MCQhard

You are asked to deploy a Kubernetes service that exposes a set of pods internally within the cluster only. The service should not be accessible from outside the cluster. Which Service type should you choose?

A.ClusterIP
B.NodePort
C.ExternalName
D.LoadBalancer
AnswerA

ClusterIP provides internal-only access.

Why this answer

ClusterIP is the default Kubernetes Service type that exposes the service on a cluster-internal IP address. This makes the service reachable only from within the cluster, which is exactly what is required for internal-only communication between pods. No external traffic can reach a ClusterIP service unless an ingress controller or proxy is explicitly configured.

Exam trap

CNCF often tests the misconception that ClusterIP is only for inter-pod communication within the same namespace, but it actually works across all namespaces within the cluster, and the trap is that candidates confuse it with NodePort when they think 'internal only' means 'no external access' but forget that NodePort inherently opens external access.

How to eliminate wrong answers

Option B is wrong because NodePort exposes the service on a static port on each node's IP address, making it accessible from outside the cluster via <NodeIP>:<NodePort>. Option C is wrong because ExternalName maps a service to a DNS name (via CNAME records) and does not expose pods internally; it is used to provide an alias for an external service. Option D is wrong because LoadBalancer provisions an external load balancer (e.g., from a cloud provider) and assigns a public IP, making the service accessible from outside the cluster.

239
MCQeasy

What is the primary purpose of the Open Container Initiative (OCI)?

A.To provide a container runtime called Docker
B.To create a container orchestration platform
C.To define the Kubernetes Container Runtime Interface (CRI)
D.To standardize container image and runtime specifications
AnswerD

OCI develops and maintains standards for container images (image spec) and runtimes (runtime spec) to promote compatibility across tools.

Why this answer

Option A is correct. The OCI aims to standardize container formats and runtimes to ensure interoperability. Option B is incorrect as OCI does not define Kubernetes APIs.

Option C is incorrect because Docker is not an OCI specification. Option D is incorrect because OCI focuses on standards, not a specific product.

240
MCQeasy

Which control plane component is responsible for assigning pods to nodes?

A.etcd
B.kube-apiserver
C.kube-scheduler
D.kube-controller-manager
AnswerC

The kube-scheduler watches for newly created pods and assigns them to nodes.

Why this answer

The kube-scheduler assigns pods to nodes based on resource requirements, policies, and constraints.

241
MCQhard

An SRE team defines an SLO that 99.9% of requests to a service should complete in under 500ms over a 30-day rolling window. If the service receives 10 million requests in a month, what is the maximum number of requests that can exceed the latency threshold while still meeting the SLO?

A.10,000
B.5,000
C.1,000
D.100,000
AnswerA

0.1% of 10 million is 10,000.

Why this answer

SLO of 99.9% means up to 0.1% errors are allowed. 0.1% of 10,000,000 is 10,000 requests.

242
Multi-Selectmedium

Which TWO of the following are valid use cases for Kubernetes Namespaces? (Select 2)

Select 2 answers
A.To enforce resource quotas and limits on the resources within the namespace
B.To create separate environments like development, staging, and production in the same cluster
C.To isolate cluster-wide resources such as Nodes and PersistentVolumes
D.To improve performance by reducing network latency between Pods
E.To separate resources for different teams or projects within a single cluster
AnswersB, E

Namespaces allow you to create logically separated environments within the same physical cluster.

Why this answer

Options A and D are correct. Namespaces provide logical isolation for resources and can be used to separate environments (dev, prod) or teams. Option B is incorrect because cluster-wide resources like Nodes are not namespaced.

Option C is incorrect because namespaces do not enforce resource quotas; ResourceQuota objects do. Option E is incorrect because namespaces do not improve performance; they add overhead.

243
Multi-Selectmedium

Which THREE fields are required in a Kubernetes manifest YAML file?

Select 3 answers
A.kind
B.metadata
C.status
D.spec
E.apiVersion
AnswersA, B, E

Defines the type of Kubernetes resource.

Why this answer

The 'kind' field is required because it tells Kubernetes which type of object to create (e.g., Pod, Deployment, Service). Without it, the API server cannot route the manifest to the correct resource handler. It must be a valid Kubernetes resource kind from the core API or a custom resource definition.

Exam trap

CNCF often tests the misconception that 'spec' is always required, but the KCNA exam expects you to know that status is never user-supplied and that spec is optional for certain built-in resources like Namespace or LimitRange.

244
MCQmedium

You have two pods in different namespaces that need to communicate using a stable IP address. Which Kubernetes object provides a stable endpoint for a set of pods?

A.ConfigMap
B.Ingress
C.Service
D.Deployment
AnswerC

Services provide stable networking endpoints for pods.

Why this answer

A Service provides a stable IP address and DNS name that routes traffic to a set of pods, regardless of pod IP changes.

245
MCQhard

You need to run a stateful application that requires stable network identities and persistent storage per pod. Which Kubernetes resource is BEST suited?

A.DaemonSet
B.StatefulSet
C.Job
D.Deployment
AnswerB

StatefulSet provides stable pod identities and ordered deployment/ scaling, ideal for stateful workloads.

Why this answer

Option A is correct. StatefulSet is designed for stateful applications that need stable, unique network identities and persistent storage. Option B (Deployment) is for stateless apps.

Option C (DaemonSet) runs on each node. Option D (Job) is for batch work.

246
MCQhard

A Deployment is rolling out a new version. The rollout has stalled, and 'kubectl rollout status deployment/myapp' shows 'Waiting for deployment rollout to finish: 2 out of 5 new replicas have been updated...'. The Deployment's spec.strategy.rollingUpdate.maxUnavailable is set to 25% and maxSurge is 25%. What is the maximum number of Pods that could be unavailable during this rollout?

A.1
B.3
C.2
D.0
AnswerC

maxUnavailable=25% of 5 = 1.25, so up to 2 Pods can be unavailable.

Why this answer

Option C is correct because with maxUnavailable=25% and maxSurge=25%, the maximum number of unavailable Pods during a rolling update is calculated as the ceiling of 25% of the desired replicas (5), which is 2. This means up to 2 Pods can be unavailable at any time, ensuring the rollout can proceed while maintaining availability.

Exam trap

The trap here is that candidates often forget that maxUnavailable is calculated as a percentage of the desired replicas and rounded up, leading them to incorrectly calculate 25% of 5 as 1.25 and round down to 1, or they misinterpret the rollout status as showing only 2 Pods are updated, assuming that is the maximum unavailable, when in fact the maximum is determined by the strategy, not the current state.

How to eliminate wrong answers

Option A is wrong because 1 is less than the calculated maximum of 2 (ceiling of 25% of 5), and the rollout status shows 2 new replicas are updated, indicating at least 2 Pods are unavailable. Option B is wrong because 3 exceeds the maximum allowed by the rolling update strategy; maxUnavailable=25% limits unavailable Pods to 2, and having 3 unavailable would violate the Deployment's availability guarantee. Option D is wrong because 0 is not possible during a rollout; the rollout status explicitly shows 2 out of 5 new replicas are updated, meaning at least 2 old Pods are being terminated and are unavailable.

247
Multi-Selectmedium

Which TWO statements are true about ArgoCD's health status?

Select 2 answers
A.ArgoCD can be configured to perform automatic rollback on health degradation
B.ArgoCD only supports health checks for Deployments
C.ArgoCD checks the health of resources by comparing their status fields
D.Health status is only determined by the application's YAML definition
E.A healthy application always means the sync status is 'Synced'
AnswersA, C

Self-healing can trigger rollback if health check fails.

Why this answer

ArgoCD assesses health based on Kubernetes resource status and can take actions when health degrades.

248
Multi-Selectmedium

Which THREE are examples of DORA metrics used to measure DevOps performance? (Choose 3)

Select 3 answers
A.Deployment Frequency
B.Number of developers per team
C.Code coverage percentage
D.Mean Time to Restore (MTTR)
E.Lead Time for Changes
AnswersA, D, E

Why this answer

DORA metrics include Deployment Frequency, Lead Time for Changes, Mean Time to Restore (MTTR), and Change Failure Rate. Options A, B, and D are the three correct ones. Option C (Number of developers) is not a DORA metric.

Option E (Code coverage) is a software quality metric, not a DORA metric.

249
Multi-Selectmedium

Which two of the following are characteristics of container images built using OCI standards? (Choose two.)

Select 2 answers
A.They are portable across different container runtimes
B.They are composed of layers that can be cached and reused
C.They include a full guest operating system
D.They can only be run by Docker
E.They require a hypervisor to run
AnswersA, B

OCI standards ensure portability.

Why this answer

OCI images are composed of layers (read-only) and are built from a Dockerfile. They are lightweight and portable across different runtimes. They do not include a guest OS (unlike VMs), and they are not tied to a specific runtime.

250
MCQmedium

In Flux, which controller is responsible for reconciling the desired state defined in a Git repository to the cluster?

A.Image Automation Controller
B.Kustomize Controller
C.Source Controller
D.Helm Controller
AnswerB

The Kustomize Controller watches for changes in Kustomize overlays and applies them to the cluster, ensuring the cluster matches the desired state.

Why this answer

Flux's Source Controller fetches artifacts (e.g., Git repositories, Helm repos) but does not apply changes. The Kustomize Controller is the primary controller that reconciles the desired state from those sources to the cluster.

251
Multi-Selecthard

Which THREE of the following are core components of the OpenTelemetry specification? (Select three.)

Select 3 answers
A.Data Model
B.API
C.Collector
D.Exporter
E.SDK
AnswersA, B, E

Data Model defines the schema for telemetry data.

Why this answer

The OpenTelemetry specification defines the API, SDK, and data model. These are the core components.

252
MCQhard

A Kubernetes cluster has two nodes: control-plane and worker. The worker node runs several pods. The control-plane node becomes unreachable. What is the immediate impact on the pods running on the worker node?

A.All pods are immediately terminated
B.Pods continue running, but new pods cannot be scheduled
C.Pods are rescheduled to the control-plane node
D.The worker node is automatically cordoned
AnswerB

Existing pods keep running; scheduling requires the scheduler on the control plane.

Why this answer

When the control-plane node becomes unreachable, the kube-controller-manager cannot communicate with the kubelet on the worker node, so it stops performing scheduling and reconciliation. However, the kubelet on the worker node continues to run existing pods based on the last known desired state stored locally, and the pods themselves are managed by the container runtime (e.g., containerd) independently of the control-plane. Therefore, pods continue running normally, but no new pods can be scheduled because the scheduler, which runs on the control-plane, is unavailable.

Exam trap

The trap here is that candidates often assume the control-plane is required for all pod operations, confusing the control-plane's role in scheduling and reconciliation with the kubelet's independent ability to maintain running workloads, leading them to choose immediate termination or automatic rescheduling.

How to eliminate wrong answers

Option A is wrong because pods are not immediately terminated; the kubelet on the worker node continues to maintain running pods even without contact with the control-plane, as the pod lifecycle is managed locally. Option C is wrong because pods cannot be rescheduled to the control-plane node; the control-plane node is typically tainted (e.g., node-role.kubernetes.io/control-plane:NoSchedule) to prevent workload pods from running on it, and the scheduler is unavailable to make such decisions. Option D is wrong because the worker node is not automatically cordoned; cordoning is a manual or scheduler-driven action that marks a node as unschedulable, but the control-plane being unreachable does not trigger an automatic cordon of the worker node.

253
MCQmedium

You have a Pod that is in 'Pending' state. What is the most likely cause?

A.The node is out of CPU or memory resources.
B.The application inside the container crashed.
C.The container image is missing.
D.The Service does not have any endpoints.
AnswerA

If no node has sufficient resources to satisfy the Pod's requests, the scheduler cannot place it, leaving it Pending.

Why this answer

A Pod in 'Pending' state indicates that the scheduler has not yet assigned it to a node. The most common reason is insufficient resources (CPU or memory) on any available node, causing the scheduler to fail to find a suitable node that meets the Pod's resource requests. This is a core scheduling failure in Kubernetes.

Exam trap

CNCF often tests the distinction between Pod lifecycle states, and the trap here is confusing 'Pending' (pre-scheduling) with post-scheduling failures like image pull errors or container crashes, which have distinct states (e.g., ImagePullBackOff, CrashLoopBackOff).

How to eliminate wrong answers

Option B is wrong because a container crash (e.g., application exit code non-zero) results in a 'CrashLoopBackOff' or 'Error' state, not 'Pending'. Option C is wrong because a missing container image causes the Pod to enter 'ImagePullBackOff' or 'ErrImagePull' state after scheduling, not 'Pending'. Option D is wrong because a Service lacking endpoints does not affect Pod scheduling; it is a networking issue that affects service discovery, not the Pod's lifecycle state.

254
MCQeasy

Which of the following is a key benefit of container orchestration?

A.Manual scaling of applications
B.Requires manual intervention for pod failures
C.Only supports monolithic applications
D.Automated scaling, self-healing, and declarative management
AnswerD

These are core benefits of orchestration.

Why this answer

Container orchestration platforms like Kubernetes provide automated scaling, self-healing, and declarative management.

255
MCQmedium

A service of type ClusterIP is created but pods cannot reach it using the service name. The pods are in the same namespace. What is a likely cause?

A.The service is not exposed externally
B.CoreDNS is not running or misconfigured
C.The service port does not match the container port
D.The selector does not match any pod labels
AnswerB

DNS resolution for service names relies on CoreDNS; if it's down, names won't resolve.

Why this answer

ClusterIP services are reachable via DNS if CoreDNS is running. If the service name is not resolvable, CoreDNS might be misconfigured or not running.

256
MCQeasy

What is the primary purpose of a container orchestration platform like Kubernetes?

A.To provide a lightweight runtime for running a single container
B.To automate the deployment, scaling, and management of containerized applications
C.To manage virtual machines and their hypervisors
D.To compile source code into container images
AnswerB

Orchestration platforms handle lifecycle management, scaling, and self-healing of containers across clusters.

Why this answer

Container orchestration platforms automate the deployment, scaling, and management of containerized applications. Option B captures the core purpose: automating deployment, scaling, and management. Option A describes a single container runtime feature.

Option C describes a configuration management tool like Ansible. Option D describes a CI/CD tool.

257
MCQhard

A platform team wants to implement observability for a Kubernetes cluster running 500+ microservices. They need to reduce the cost of storing logs while retaining the ability to search for specific error patterns. Which strategy best achieves this?

A.Increase log retention to one year for compliance
B.Store all logs in a centralized Elasticsearch cluster with high retention
C.Aggregate logs into a single pod for easier indexing
D.Use structured logging and sample debug logs, retaining error logs fully
AnswerD

Sampling reduces volume while keeping critical error logs for search.

Why this answer

Option D is correct because structured logging (e.g., JSON format) enables efficient indexing and querying of logs, while sampling debug logs and retaining error logs fully reduces storage costs without losing critical error patterns. This approach balances observability needs with cost optimization, a key principle in cloud-native environments.

Exam trap

The trap here is that candidates may assume centralized storage (Elasticsearch) or longer retention always improves observability, ignoring the cost and scalability constraints of 500+ microservices in a cloud-native environment.

How to eliminate wrong answers

Option A is wrong because increasing log retention to one year for compliance does not address cost reduction; it increases storage costs and may violate data minimization principles. Option B is wrong because storing all logs in a centralized Elasticsearch cluster with high retention is expensive and inefficient, as it retains unnecessary debug logs and scales poorly for 500+ microservices. Option C is wrong because aggregating logs into a single pod creates a single point of failure, violates pod isolation, and does not reduce storage costs or improve searchability.

258
Multi-Selectmedium

Which THREE of the following are valid ways to expose environment variables from a ConfigMap to a pod?

Select 3 answers
A.volumes and volumeMounts
B.env.value
C.env.valueFrom.secretKeyRef
D.env.valueFrom.configMapKeyRef
E.envFrom
AnswersA, D, E

ConfigMaps can be mounted as volumes, and files appear as environment-like files.

Why this answer

Option A is correct because ConfigMaps can be exposed as files in a pod's filesystem using a volume mount. When you define a ConfigMap as a volume in the pod spec and mount it via volumeMounts, each key in the ConfigMap becomes a file in the specified mount path, with the key's value as the file content. This is a standard method for injecting configuration data into containers without modifying the container image.

Exam trap

CNCF often tests the distinction between `configMapKeyRef` and `secretKeyRef`, expecting candidates to know that `secretKeyRef` is for Secrets only, not ConfigMaps, and that `env.value` is for static values, not dynamic references.

259
MCQmedium

You need to provide an application with configuration data that does not change often and should not be baked into the container image. Which Kubernetes resource should you use?

A.Secret
B.PersistentVolumeClaim
C.ConfigMap
D.ServiceAccount
AnswerC

Why this answer

ConfigMap is the correct Kubernetes resource for providing configuration data that does not change often and should not be baked into the container image. It decouples configuration artifacts from image content, allowing you to update configuration without rebuilding images, and supports injection via environment variables, command-line arguments, or volume mounts.

Exam trap

The trap here is that candidates confuse ConfigMap with Secret, assuming all configuration must be secret, or they mistakenly think PersistentVolumeClaim can store configuration files, when in fact ConfigMap is the correct resource for non-sensitive, frequently updated configuration data.

How to eliminate wrong answers

Option A is wrong because Secrets are specifically designed for sensitive data (e.g., passwords, tokens, SSH keys) and are base64-encoded, not for general configuration data that does not change often. Option B is wrong because PersistentVolumeClaim is used to request persistent storage volumes for stateful workloads, not for injecting configuration data into containers. Option D is wrong because ServiceAccount provides an identity for Pods to authenticate with the Kubernetes API server, not for storing or delivering configuration data.

260
MCQhard

An application deployed on Kubernetes is experiencing intermittent failures due to network latency. Which resiliency pattern should be implemented to gracefully handle such failures?

A.Circuit breaker
B.Bulkhead
C.Retry
D.Timeout
AnswerC

Retry pattern handles transient failures by reattempting the operation after a delay.

Why this answer

Retry pattern automatically retries failed operations, which is appropriate for transient failures like network latency. Circuit breaker prevents repeated calls to a failing service. Timeout sets a maximum wait.

Bulkhead isolates resources.

261
Multi-Selecthard

Which TWO of the following are valid components of the Alertmanager configuration? (Select two.)

Select 2 answers
A.group_by
B.prometheus_rules
C.route
D.alert
E.receivers
AnswersC, E

Route defines alert routing tree in Alertmanager.

Why this answer

Alertmanager configuration includes 'route' for routing alerts and 'receivers' for notification channels. 'prometheus_rules' is part of Prometheus configuration, not Alertmanager. 'alert' and 'group_by' are not top-level Alertmanager config keys.

262
Multi-Selectmedium

Which TWO of the following are valid ways to expose a set of pods as a network service within a Kubernetes cluster?

Select 2 answers
A.Create a StatefulSet with pod hostnames.
B.Create a Service of type ExternalName.
C.Create a ConfigMap with pod IPs.
D.Create a Service of type ClusterIP.
E.Create an Ingress resource that routes to a Service.
AnswersD, E

ClusterIP exposes pods internally.

Why this answer

A Service of type ClusterIP exposes a set of pods as a network service within the cluster by assigning a stable virtual IP address and DNS name. Traffic to this IP is load-balanced across the pods matching the Service's label selector, enabling internal cluster communication without external exposure.

Exam trap

Cisco often tests the distinction between a resource that manages pods (like StatefulSet) and a resource that provides network access to those pods (like Service), leading candidates to confuse pod management with service exposure.

263
MCQeasy

Which component is the primary entry point for all administrative tasks and API requests in a Kubernetes cluster?

A.kube-controller-manager
B.kube-apiserver
C.etcd
D.kube-scheduler
AnswerB

The API server is the entry point for all REST API calls.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane and exposes the Kubernetes API.

264
Multi-Selectmedium

Which THREE of the following are key benefits of container orchestration? (Choose 3)

Select 3 answers
A.Built-in network isolation between all containers
B.Declarative management using desired state configuration
C.High availability through replication and load balancing
D.Automatic code compilation from source repositories
E.Self-healing capabilities that restart failed containers
AnswersB, C, E

Users define the desired state, and the orchestrator works to achieve and maintain it.

Why this answer

Container orchestration platforms like Kubernetes provide high availability through replication, self-healing by restarting failed containers, and declarative management via desired state configuration. Network isolation is typically provided by network policies but is not a core orchestration benefit.

265
MCQhard

You have a ConfigMap named 'app-config' and a Secret named 'db-password'. You want to mount them into a pod. Which statement is correct?

A.Secrets can be mounted as volumes, but ConfigMaps cannot
B.Both ConfigMaps and Secrets can be mounted as volumes
C.ConfigMaps can be mounted as volumes, but Secrets cannot
D.ConfigMaps and Secrets can only be exposed as environment variables
AnswerB

Both resource types support volume mounting and environment variable injection.

Why this answer

Both ConfigMaps and Secrets are Kubernetes API objects designed to decouple configuration data from container images. They can be mounted as volumes into pods, allowing files to be created in the container's filesystem with the data from the ConfigMap or Secret. This is a core feature for managing configuration and sensitive data in Kubernetes.

Exam trap

CNCF often tests the misconception that Secrets and ConfigMaps have different mounting capabilities, when in fact both support volume mounts and environment variable injection, with the key difference being that Secrets are base64-encoded and intended for sensitive data.

How to eliminate wrong answers

Option A is wrong because ConfigMaps can indeed be mounted as volumes, just like Secrets. Option C is wrong because Secrets can be mounted as volumes, just like ConfigMaps. Option D is wrong because both ConfigMaps and Secrets can be exposed as environment variables AND mounted as volumes, not only as environment variables.

266
MCQmedium

In GitOps, what is the role of a tool like ArgoCD?

A.To automatically apply changes from a Git repository to a Kubernetes cluster
B.To monitor application performance
C.To create Docker images from source code
D.To manage container registries
AnswerA

ArgoCD is a GitOps operator that ensures the cluster matches the Git repo.

Why this answer

ArgoCD synchronizes the cluster state with the desired state defined in a Git repository.

267
MCQhard

A cluster administrator needs to ensure that a Deployment named 'frontend' in namespace 'web' is updated with a new image version using a rolling update strategy. The current deployment has 4 replicas. The administrator runs: kubectl set image deployment/frontend frontend=nginx:1.21 -n web. Which of the following describes the expected behavior?

A.The Deployment will create a new ReplicaSet and gradually replace old pods with new ones
B.All existing pods will be deleted immediately and new pods will be created with the new image
C.The command will fail because you cannot update a Deployment using kubectl set image
D.The Deployment's image will be updated, but only the container named 'app' will be affected
AnswerA

This is the default rolling update behavior: a new ReplicaSet is created, and pods are gradually transitioned.

Why this answer

The 'kubectl set image' command triggers a rolling update on the Deployment. By default, the Deployment's strategy is RollingUpdate, which updates pods gradually. The ReplicaSet is updated, and old pods are scaled down while new ones are scaled up.

Option B incorrectly describes a Recreate update. Option C is false because the Deployment is updated in place. Option D is incorrect because the image is changed for the 'frontend' container.

268
MCQeasy

Which Kubernetes object provides stable network endpoints and load balancing for a set of pods?

A.Service
B.Deployment
C.ConfigMap
D.Pod
AnswerA

Services provide stable IPs and DNS names with load balancing across pods.

Why this answer

A Service is the correct Kubernetes object because it provides a stable virtual IP (ClusterIP) and DNS name that remains constant even as pods are created or destroyed. It automatically load-balances traffic across the set of pods matching its label selector using iptables or IPVS rules, ensuring reliable network endpoints for clients.

Exam trap

The trap here is that candidates often confuse a Deployment's ability to manage replicas with providing network access, forgetting that only a Service creates a stable, load-balanced network abstraction over pods.

How to eliminate wrong answers

Option B (Deployment) is wrong because a Deployment manages pod replicas and rolling updates, but it does not expose a stable network endpoint or perform load balancing; it relies on a Service for that. Option C (ConfigMap) is wrong because it is used to inject configuration data (key-value pairs) into pods as environment variables or files, not to provide network endpoints or load balancing. Option D (Pod) is wrong because a Pod has a dynamic IP that changes on restart, and it cannot provide stable endpoints or load balancing across multiple pods; a Service abstracts over pods to solve this.

269
MCQeasy

What is the primary benefit of using containers over virtual machines?

A.Containers provide stronger isolation between applications
B.Containers include a full operating system per instance
C.Containers require a hypervisor to run
D.Containers are lightweight and share the host OS kernel
AnswerD

Containers do not include a guest OS, making them more lightweight and faster to start.

Why this answer

Containers are lightweight because they share the host OS kernel, avoiding the overhead of a separate guest OS per instance. Unlike VMs, which require a hypervisor and a full OS for each virtual machine, containers run as isolated processes on the same kernel, enabling faster startup times and higher density. This shared-kernel model is the primary benefit, as it reduces resource consumption and improves efficiency in orchestrated environments like Kubernetes.

Exam trap

The trap here is that candidates confuse 'isolation' with 'security' and assume containers are more secure because they are lightweight, but the primary benefit is resource efficiency, not stronger isolation—VMs actually provide better isolation via hardware virtualization.

How to eliminate wrong answers

Option A is wrong because containers provide weaker isolation than virtual machines, as they share the host kernel and rely on namespaces and cgroups for process-level separation, whereas VMs use hardware-level virtualization with a hypervisor for stronger isolation. Option B is wrong because containers do not include a full operating system per instance; they package only the application and its dependencies, while the OS kernel is shared from the host. Option C is wrong because containers do not require a hypervisor to run; they run directly on the host OS using the kernel's container runtime (e.g., runc), whereas VMs require a hypervisor (e.g., KVM, VMware) to virtualize hardware.

270
MCQeasy

What is the primary difference between a container and a virtual machine (VM)?

A.Containers are slower to start than VMs
B.Containers require a hypervisor to run
C.Containers share the host OS kernel, whereas VMs each have their own guest OS
D.Containers virtualize hardware, while VMs virtualize the operating system
AnswerC

Correct. Containers share the host kernel; VMs have a full guest OS.

Why this answer

Containers share the host OS kernel and run as isolated processes, while VMs include a full guest OS and run on hypervisor-managed virtual hardware.

271
Multi-Selecthard

Which THREE of the following are required for a Kubernetes pod to be considered healthy and ready to serve traffic?

Select 3 answers
A.The startup probe has succeeded.
B.The container is in the Running state.
C.The pod has at least one endpoint in its Service's endpoints list.
D.The readiness probe has succeeded.
E.The liveness probe has succeeded.
AnswersA, B, D

Startup probe indicates the application has started.

Why this answer

Option A is correct because a startup probe must succeed before the kubelet considers the container started. Until the startup probe succeeds, the readiness and liveness probes are not active, so the pod cannot be marked healthy or ready. This is defined in the Kubernetes API for startup probes, which delay the start of other probes until the application has initialized.

Exam trap

Cisco often tests the distinction between liveness and readiness probes, and the trap here is that candidates confuse a successful liveness probe (which only indicates the container is alive) with the readiness probe (which specifically controls traffic routing), leading them to incorrectly select option E.

272
MCQeasy

A cloud-native application is designed with multiple microservices that need to handle a sudden spike in traffic without manual intervention. Which Kubernetes feature best enables this?

A.VerticalPodAutoscaler
B.Cluster Autoscaler
C.HorizontalPodAutoscaler
D.PodDisruptionBudget
AnswerC

Automatically scales pod replicas based on CPU/memory or custom metrics.

Why this answer

The HorizontalPodAutoscaler (HPA) automatically scales the number of pod replicas in a deployment based on observed CPU/memory utilization or custom metrics. This directly addresses the need to handle a sudden traffic spike without manual intervention by adding more pod instances to distribute the load.

Exam trap

CNCF often tests the distinction between scaling pods (HPA) versus scaling nodes (Cluster Autoscaler) versus scaling pod resources (VPA), and the trap here is that candidates confuse 'scaling the application' with 'scaling the cluster infrastructure'.

How to eliminate wrong answers

Option A is wrong because VerticalPodAutoscaler (VPA) adjusts resource requests and limits (CPU/memory) of existing pods, not the number of replicas, so it cannot handle a traffic spike by increasing capacity. Option B is wrong because Cluster Autoscaler adds or removes worker nodes to the cluster, not pods; it works at the infrastructure layer and does not directly scale the application itself. Option D is wrong because PodDisruptionBudget (PDB) limits the number of voluntary disruptions (e.g., node drains) to maintain availability, but it does not scale pods up or down in response to traffic changes.

273
MCQmedium

An application requires external configuration that varies between environments (dev, staging, prod). Following the 12-factor app methodology, how should this configuration be provided?

A.Use environment variables
B.Store configuration in a config file that is version-controlled
C.Use a centralized database for configuration
D.Hard-code the configuration in the application code
AnswerA

12-factor apps store configuration in environment variables to keep it separate from code.

Why this answer

The 12-factor app methodology recommends storing configuration in environment variables to keep it separate from code and vary per deploy.

274
Multi-Selecthard

Which THREE of the following are features provided by a service mesh like Istio? (Select THREE.)

Select 3 answers
A.Container image building
B.Traffic routing and load balancing
C.Observability including metrics and distributed tracing
D.Security through mTLS and access policies
E.Database schema migrations
AnswersB, C, D

Service mesh can route traffic based on rules.

Why this answer

Service mesh provides traffic management (routing), observability (metrics, tracing), and security (mTLS, policies).

275
Multi-Selectmedium

Which THREE are benefits of using a container orchestration platform? (Select 3)

Select 3 answers
A.Guarantees zero downtime during deployments
B.Declarative configuration management
C.Automated scaling based on demand
D.Eliminates the need for cloud infrastructure
E.High availability through automatic failover
AnswersB, C, E

Orchestration uses declarative configs (YAML) to define desired state.

Why this answer

Options A, B, and E are correct. Orchestration provides high availability (A), automated scaling (B), and declarative management (E). Option C is incorrect—containers are portable across environments, not tied to a specific cloud.

Option D is incorrect—orchestration abstracts infrastructure, but containers still run on servers.

276
Multi-Selectmedium

Which TWO of the following are core principles of cloud native architecture according to the CNCF?

Select 2 answers
A.Static scaling based on predefined thresholds
B.Microservices architecture
C.Dynamic orchestration
D.Manual infrastructure management
E.Monolithic deployment
AnswersB, C

Microservices decompose applications into small, independent services, a core cloud native principle.

Why this answer

Options A and D are correct. Microservices architecture and dynamic orchestration are fundamental cloud native principles. Option B (monolithic deployment) is antithetical to cloud native.

Option C (manual infrastructure management) contradicts automation. Option E (static scaling) is not a principle; cloud native emphasizes dynamic scaling.

277
Drag & Dropmedium

Drag and drop the steps to create a ConfigMap from a file in Kubernetes into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Prepare the file, create ConfigMap, verify, describe, and use it in a Pod.

278
Multi-Selecteasy

Which TWO are benefits of using a container orchestration platform like Kubernetes? (Select TWO.)

Select 2 answers
A.Increases application complexity
B.Requires a dedicated hypervisor for each container
C.Automatic service discovery and load balancing
D.Self-healing (automatic restart of failed containers)
E.Manual scaling of applications
AnswersC, D

Kubernetes automatically assigns IPs and a single DNS name for a set of pods and load-balances traffic.

Why this answer

Option C is correct because Kubernetes includes built-in service discovery and load balancing. Services in Kubernetes get a stable virtual IP and DNS name, and kube-proxy implements load balancing across pods using iptables or IPVS rules, distributing traffic without manual configuration.

Exam trap

CNCF often tests the distinction between manual and automatic scaling; candidates may incorrectly select manual scaling as a benefit because they confuse it with the ability to scale, but the question asks for benefits of using the platform, which include automation, not manual effort.

279
MCQmedium

A DevOps team wants to collect logs from all Kubernetes nodes and forward them to a central log storage system. Which tool is specifically designed for lightweight log aggregation and forwarding on Kubernetes nodes?

A.Elasticsearch
B.Prometheus
C.Fluent Bit
D.Grafana
AnswerC

Fluent Bit is a lightweight log forwarder suitable for Kubernetes nodes.

Why this answer

Fluent Bit is a lightweight log processor and forwarder, designed for resource-constrained environments like Kubernetes nodes.

280
MCQmedium

What is the role of etcd in a Kubernetes cluster?

A.It manages network policies
B.It stores the cluster state and configuration
C.It schedules pods onto nodes
D.It provides DNS resolution for services
AnswerB

etcd is the backing store for all cluster data.

Why this answer

etcd is a distributed key-value store that stores all cluster data, including configuration, state, and metadata.

281
MCQmedium

A development team wants to implement a GitOps workflow for their Kubernetes deployments. Which tool is specifically designed for GitOps on Kubernetes?

A.ArgoCD
B.Helm
C.Jenkins
D.Terraform
AnswerA

Why this answer

ArgoCD is a declarative GitOps tool built specifically for Kubernetes.

282
Multi-Selecthard

Which TWO statements are true about Kubernetes namespaces? (Select 2)

Select 2 answers
A.All Kubernetes resources are namespaced
B.Namespaces provide network isolation by default
C.Resource quotas can be applied to a namespace to limit resource usage
D.Namespaces can be used to separate environments like dev and prod
E.Deleting a namespace automatically deletes all resources in it, including cluster-scoped resources
AnswersC, D

ResourceQuotas can be set per namespace to control aggregate resource consumption.

Why this answer

Namespaces provide logical isolation and are used to divide cluster resources among multiple users or teams. Some resources, like nodes and PersistentVolumes, are cluster-scoped and not namespaced.

283
MCQmedium

A developer wants to expose a set of pods running a web application internally within the cluster using a stable IP address. Which Kubernetes resource should they create?

A.Ingress
B.ConfigMap
C.Deployment
D.Service
AnswerD

A Service (e.g., ClusterIP) provides a stable internal IP and DNS name.

Why this answer

A Service provides a stable endpoint (IP/DNS) and load balancing for a set of pods.

284
MCQeasy

Which of the following is a benefit of container orchestration?

A.Elimination of all security vulnerabilities
B.Self-healing of failed containers
C.Manual scaling of applications
D.Guaranteed zero downtime
AnswerB

Orchestration platforms like Kubernetes automatically restart failed containers.

Why this answer

Container orchestration platforms like Kubernetes provide self-healing capabilities by automatically restarting failed containers, rescheduling them on healthy nodes, and replacing or terminating containers that fail health checks. This ensures that the desired state of the application is maintained without manual intervention, which is a core benefit of orchestration.

Exam trap

CNCF often tests the misconception that orchestration provides absolute guarantees (like zero downtime or complete security), when in reality it provides mechanisms to improve reliability and security but cannot eliminate all risks.

How to eliminate wrong answers

Option A is wrong because container orchestration does not eliminate all security vulnerabilities; it can enforce security policies (e.g., Pod Security Standards, network policies) but cannot remove vulnerabilities in application code or container images. Option C is wrong because container orchestration enables automatic scaling (e.g., Horizontal Pod Autoscaler in Kubernetes), not manual scaling, which is a legacy approach. Option D is wrong because orchestration cannot guarantee zero downtime; it can minimize downtime through rolling updates and self-healing, but factors like node failures, misconfigurations, or resource exhaustion can still cause downtime.

285
Multi-Selecthard

Which three of the following are benefits of container orchestration? (Choose three.)

Select 3 answers
A.High availability through replication
B.Scaling services up or down
C.Manual deployment of containers to specific hosts
D.Self-healing by restarting failed containers
E.Bare metal performance
AnswersA, B, D

Orchestration ensures replicas are distributed across nodes for availability.

Why this answer

Container orchestration provides high availability via replicas, scaling (both manual and autoscaling), and self-healing (restarting failed containers). Bare metal performance is not a direct benefit of orchestration; it is a characteristic of containers themselves. Manual deployment is the opposite of orchestration.

286
Multi-Selecthard

Which THREE of the following are benefits of using container orchestration? (Choose three.)

Select 3 answers
A.High availability through automated failover
B.Decomposition of applications into microservices
C.Simplified networking with flat network topology
D.Self-healing by restarting failed containers
E.Automatic scaling of applications based on demand
AnswersA, D, E

Orchestration ensures applications remain available.

Why this answer

Option A is correct because container orchestration platforms like Kubernetes implement automated failover by monitoring container health via liveness probes and rescheduling pods on healthy nodes when a node fails. This ensures that applications remain available even when underlying infrastructure components fail, which is a core benefit of orchestration.

Exam trap

CNCF often tests the distinction between architectural patterns (like microservices) and operational benefits of orchestration, so candidates mistakenly select decomposition as a direct benefit when it is actually a design choice that orchestration supports.

287
MCQeasy

What is the role of an API gateway in a microservices architecture?

A.To schedule pods on nodes
B.To store application configuration
C.To monitor container resource usage
D.To provide a single entry point for external clients to access multiple backend services
AnswerD

The API gateway routes requests to appropriate microservices and can aggregate responses.

Why this answer

An API gateway acts as a single entry point for client requests, handling routing, authentication, rate limiting, and other cross-cutting concerns.

288
MCQeasy

A development team is containerizing a monolithic application into microservices. Which practice aligns with cloud-native architecture principles?

A.Use a shared database for all microservices to ensure data consistency.
B.Use JSON Web Tokens for authentication between microservices in the same cluster.
C.Design each microservice with its own data store and communicate via APIs.
D.Ensure all microservices have identical resource requests and limits.
AnswerC

Each microservice owning its data store enables independent scaling and evolution.

Why this answer

Option C is correct because cloud-native architecture principles advocate for decentralized data management, where each microservice owns its private data store and exposes functionality via well-defined APIs. This ensures loose coupling, independent scalability, and resilience, as services can evolve without impacting others. The pattern aligns with the Database per Service pattern, a core tenet of microservices design.

Exam trap

CNCF often tests the misconception that 'shared data ensures consistency' (Option A) or that 'identical resource limits simplify management' (Option D), while the correct answer emphasizes data autonomy and API-based communication as the hallmark of cloud-native design.

How to eliminate wrong answers

Option A is wrong because a shared database creates tight coupling between microservices, violating the principle of bounded contexts and making independent deployments and scaling impossible; it also introduces a single point of failure and contention. Option B is wrong because JSON Web Tokens (JWTs) are used for stateless authentication between services, but within the same cluster, internal service-to-service communication should leverage mutual TLS (mTLS) or a service mesh (e.g., Istio) for stronger security, not rely on JWT alone which can be intercepted without transport encryption. Option D is wrong because requiring identical resource requests and limits for all microservices ignores the fact that different services have distinct resource profiles (e.g., CPU-intensive vs. memory-intensive), leading to inefficient cluster utilization and potential throttling or waste.

289
MCQhard

You create a Deployment with 'replicas: 3' and update the pod template without changing the selector. After the update, you notice that only the new Pods are running, but old Pods have been terminated. What is the default update strategy?

A.OnDelete
B.BlueGreen
C.RollingUpdate
D.Recreate
AnswerC

RollingUpdate gradually replaces Pods; old ones are terminated as new ones become ready.

Why this answer

The default strategy for Deployments is RollingUpdate, which gradually replaces old Pods with new ones without downtime, and by default it keeps no old Pods running after the update completes.

290
MCQmedium

Which Kubernetes object is used to store non-sensitive configuration data that can be consumed by pods?

A.Secret
B.Annotation
C.Volume
D.ConfigMap
AnswerD

ConfigMap is the correct object for non-sensitive configuration.

Why this answer

ConfigMap is designed to store non-sensitive configuration data as key-value pairs or files.

291
MCQmedium

Which component implements the Container Runtime Interface (CRI) to manage container lifecycle in Kubernetes?

A.kubelet
B.CRI-O
C.containerd
D.Docker
AnswerC

containerd is a CRI-compliant container runtime.

Why this answer

containerd is a CRI-compliant runtime that manages containers, while kubelet interacts with it via CRI.

292
MCQhard

A Deployment is configured with 'strategy.type: RollingUpdate' and 'strategy.rollingUpdate.maxUnavailable: 0'. What is the effect during a rolling update?

A.The update will fail because maxUnavailable must be at least 1
B.The update will not proceed until at least one new pod is ready
C.The update will proceed without any downtime
D.No pod will be terminated until a new pod is ready
AnswerD

With maxUnavailable=0, the controller cannot make any existing pods unavailable, so it must wait for new pods to become ready before terminating old ones.

Why this answer

With maxUnavailable=0, the controller ensures no pods are unavailable during the update, but it may create new pods before terminating old ones, potentially causing resource contention.

293
MCQhard

A team uses ArgoCD with a Git repository that contains Helm charts. They want ArgoCD to automatically sync when a new image tag is pushed to the container registry. Which approach should they use?

A.Use Flux Image Automation Controller
B.Configure a webhook from the registry to ArgoCD API server
C.Manually update the Helm values and commit
D.Use ArgoCD Image Updater
AnswerD

ArgoCD Image Updater monitors registries and updates the desired state in Git automatically.

Why this answer

ArgoCD Image Updater is the official tool to automatically update image tags in Kubernetes manifests (including Helm values) and commit changes to Git, triggering ArgoCD to sync.

294
MCQhard

A cloud-native application experiences periodic timeouts when calling a downstream service. The downstream service is running in the same Kubernetes cluster. Which design pattern should be implemented to handle this gracefully?

A.Circuit breaker pattern
B.Bulkhead pattern
C.Retry with exponential backoff
D.Health check endpoint
AnswerA

Prevents cascading failures.

Why this answer

The Circuit Breaker pattern is correct because it prevents cascading failures by monitoring for failures and, once a threshold is exceeded (e.g., 5 consecutive timeouts), it opens the circuit and immediately fails fast without waiting for the downstream service. This allows the application to handle periodic timeouts gracefully by avoiding wasted resources and providing a fallback response, which is critical for cloud-native resilience in Kubernetes.

Exam trap

CNCF often tests the distinction between 'handling' a failure (Circuit Breaker) and 'preventing' a failure (Bulkhead), so candidates mistakenly choose Bulkhead when the question asks for graceful handling of timeouts rather than resource isolation.

How to eliminate wrong answers

Option B (Bulkhead pattern) is wrong because it isolates resources (e.g., thread pools) to prevent one failing component from exhausting shared resources, but it does not address handling periodic timeouts from a downstream service; it focuses on fault isolation, not failure response. Option C (Retry with exponential backoff) is wrong because while it can help with transient failures, periodic timeouts suggest a persistent or overloaded downstream service, and retries can exacerbate the problem by adding load and delaying failure detection. Option D (Health check endpoint) is wrong because it only provides a way to probe the service's liveness or readiness (e.g., via Kubernetes probes), but it does not handle the timeout scenario itself; it is a detection mechanism, not a graceful handling pattern.

295
MCQmedium

A team wants to visualize metrics from Prometheus in a dashboard. Which tool is commonly used for this purpose?

A.Grafana
B.Alertmanager
C.Jaeger UI
D.Kibana
AnswerA

Grafana integrates natively with Prometheus.

Why this answer

Grafana is the most popular visualization tool for Prometheus metrics, offering rich dashboards.

296
MCQeasy

Which of the following is a graduated CNCF project?

A.Prometheus
B.Flux
C.Linkerd
D.ArgoCD
AnswerA

Why this answer

Prometheus is a graduated CNCF project, having reached the graduation maturity level in August 2018. The CNCF graduation criteria require projects to demonstrate adoption, governance maturity, and long-term stability, which Prometheus meets as a core monitoring and alerting toolkit widely used in cloud-native environments.

Exam trap

CNCF often tests the distinction between CNCF project maturity levels, and the trap here is that candidates may assume any popular or widely used project (like Flux or ArgoCD) is graduated, when in fact they are still at the incubating stage.

How to eliminate wrong answers

Option B (Flux) is wrong because Flux is a CNCF incubating project, not graduated; it is a GitOps tool for continuous delivery but has not yet reached the graduation stage. Option C (Linkerd) is wrong because Linkerd is also an incubating CNCF project, serving as a service mesh, and has not graduated. Option D (ArgoCD) is wrong because ArgoCD is an incubating CNCF project, focused on declarative GitOps for Kubernetes, and has not achieved graduated status.

297
MCQmedium

What is the smallest deployable unit in Kubernetes that can be created and managed?

A.Deployment
B.Node
C.Container
D.Pod
AnswerD

Pod is the smallest deployable unit.

Why this answer

A Pod is the smallest and simplest Kubernetes object. It represents a single instance of a running process in the cluster.

298
MCQhard

Which of the following kubectl commands would you use to update a Deployment's image to 'nginx:1.21' and record the change in the rollout history?

A.kubectl edit deployment nginx --image=nginx:1.21
B.kubectl set image deployment/nginx nginx=nginx:1.21
C.kubectl set image deployment/nginx nginx=nginx:1.21 --record
D.kubectl patch deployment nginx -p '{"spec":{"template":{"spec":{"containers":[{"name":"nginx","image":"nginx:1.21"}]}}}}' --record
AnswerC

This updates the image and records the change in the rollout history.

Why this answer

Option C is correct because `kubectl set image deployment/nginx nginx=nginx:1.21 --record` updates the container image of the specified deployment and, with the `--record` flag, annotates the change in the rollout history (stored in the `kubernetes.io/change-cause` annotation). This allows you to later inspect the change with `kubectl rollout history deployment/nginx`.

Exam trap

CNCF often tests the `--record` flag as a subtle requirement; candidates may pick option B because it correctly updates the image but forget that the question explicitly asks to record the change in the rollout history.

How to eliminate wrong answers

Option A is wrong because `kubectl edit deployment nginx --image=nginx:1.21` is invalid syntax; `kubectl edit` opens an editor for the resource and does not accept an `--image` flag. Option B is wrong because `kubectl set image deployment/nginx nginx=nginx:1.21` updates the image but does not include the `--record` flag, so the change will not be recorded in the rollout history. Option D is wrong because while `kubectl patch` with the correct JSON patch can update the image and `--record` records it, the question specifically asks for a command to update the image and record the change; option C is the most direct and standard command for this purpose, and option D is unnecessarily complex and less idiomatic for a simple image update.

299
MCQeasy

What is the primary purpose of a Namespace in Kubernetes?

A.To set resource quotas for the entire cluster
B.To define network policies for pods
C.To manage node affinity rules
D.To isolate resources and provide a scope for names
AnswerD

Namespaces partition resources into logically named groups.

Why this answer

Namespaces provide logical isolation and scope for resources within a cluster, allowing multiple virtual clusters backed by the same physical cluster.

300
MCQmedium

A team is designing a cloud-native application that requires each microservice to have its own database. This pattern is known as:

A.Saga pattern
B.Database-per-service pattern
C.Shared database pattern
D.CQRS pattern
AnswerB

Each service has its own private database.

Why this answer

The Database-per-service pattern is the correct answer because it ensures each microservice owns and manages its own database, enforcing loose coupling and data encapsulation. This aligns with the cloud-native principle of decentralized data management, where services communicate only via APIs and never access each other's databases directly. It prevents tight coupling at the data layer, which is critical for independent scaling, deployment, and resilience in a microservices architecture.

Exam trap

CNCF often tests the misconception that the Saga pattern defines database ownership, when in fact it is a transaction coordination pattern, not a data isolation strategy.

How to eliminate wrong answers

Option A is wrong because the Saga pattern is a distributed transaction management pattern used to maintain data consistency across multiple services, not a database ownership model. Option C is wrong because the Shared database pattern contradicts the requirement for each microservice to have its own database, as it forces all services to access a single database, creating tight coupling and single points of failure. Option D is wrong because CQRS (Command Query Responsibility Segregation) is a pattern that separates read and write operations into different models or databases, but it does not define per-service database ownership.

Page 3

Page 4 of 14

Page 5