Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 301375

997 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQhard

A team wants to implement cost monitoring for their Kubernetes clusters. Which approach is most effective?

A.Use cloud provider billing APIs combined with resource utilization data
B.Use kubectl top to get resource usage
C.Estimate costs based on node count
D.Monitor CPU and memory usage with Prometheus
AnswerA

This maps resource consumption to cost.

Why this answer

Option A is correct because cloud provider billing APIs provide actual cost data per resource (e.g., per node, per persistent volume, per network egress), and combining this with resource utilization data (e.g., CPU/memory requests and actual usage from metrics) enables accurate cost allocation per namespace, pod, or workload. This approach directly maps infrastructure spend to Kubernetes abstractions, which is essential for chargeback or showback in multi-tenant clusters.

Exam trap

The trap here is that candidates confuse resource monitoring (CPU/memory) with cost monitoring, assuming that tracking utilization alone (e.g., with Prometheus or kubectl top) is sufficient to understand spending, when in fact cost data requires explicit billing integration.

How to eliminate wrong answers

Option B is wrong because 'kubectl top' only shows current resource usage (CPU/memory) for nodes and pods, not cost data; it lacks any billing context or historical aggregation needed for cost monitoring. Option C is wrong because estimating costs based solely on node count ignores variable costs like storage, network egress, and managed services (e.g., load balancers), leading to inaccurate cost attribution. Option D is wrong because Prometheus monitors resource utilization metrics (CPU, memory, disk I/O) but does not inherently provide cost data; it would need to be combined with pricing information from cloud provider APIs to calculate costs.

302
Multi-Selectmedium

Which THREE of the following are core principles of cloud native computing as defined by the CNCF? (Select 3)

Select 3 answers
A.Dynamic orchestration
B.Waterfall development
C.Monolithic architecture
D.Microservices
E.Containers
AnswersA, D, E

Dynamic orchestration (e.g., Kubernetes) is a core principle.

Why this answer

The CNCF defines cloud native as using microservices, containers, dynamic orchestration, and DevOps. The three correct options are microservices, containers, and dynamic orchestration. DevOps is also a principle, but the question asks for three; the other options are not core principles.

303
MCQeasy

What is the purpose of a readiness probe in a Kubernetes pod?

A.To measure resource usage of the container
B.To restart the container when it becomes unresponsive
C.To determine if the container is ready to accept traffic
D.To check if the container is still running
AnswerC

Readiness probes control Service membership.

Why this answer

A readiness probe in Kubernetes determines whether a container within a pod is ready to start accepting traffic. If the probe fails, the pod is removed from the Service's endpoints, ensuring that only healthy containers receive requests. This is distinct from liveness probes, which restart containers, and startup probes, which delay other probes until initialization completes.

Exam trap

CNCF often tests the confusion between readiness and liveness probes, where candidates mistakenly think readiness probes restart containers (Option B) instead of controlling traffic admission.

How to eliminate wrong answers

Option A is wrong because resource usage measurement is handled by metrics-server or Prometheus, not by probes; readiness probes only check application readiness via HTTP, TCP, or command execution. Option B is wrong because restarting unresponsive containers is the job of a liveness probe, not a readiness probe; readiness probes only affect traffic routing. Option D is wrong because checking if a container is still running is the function of a liveness probe or the container runtime's process monitoring; readiness probes assume the container is running and instead verify its ability to serve requests.

304
Multi-Selectmedium

Which TWO are benefits of using a service mesh? (Choose two.)

Select 2 answers
A.Observability of service-to-service communication
B.Automatic database scaling
C.Traffic management (e.g., canary deployments)
D.Container image building
E.Load balancing of external requests
AnswersA, C

Service mesh collects metrics and traces for inter-service calls.

Why this answer

Service mesh provides observability (e.g., metrics, tracing) and traffic management (e.g., routing, retries) between services.

305
MCQhard

A team uses Flux with the Source Controller and Kustomize Controller. They update a YAML file in Git to change a Deployment's replica count. What describes the synchronization flow?

A.The Source Controller directly applies the manifest to the cluster
B.Flux uses HelmReleases to apply changes
C.The Kustomize Controller fetches the source and applies the rendered manifests
D.Flux requires a manual kubectl apply to sync
AnswerC

Kustomize Controller reconciles the source and applies.

Why this answer

Flux Source Controller fetches changes from Git; Kustomize Controller reconciles the kustomization and applies to the cluster.

306
MCQeasy

Based on the exhibit, why is the pod web-pod not running?

A.A network policy is blocking the image pull.
B.The container image is not available in the registry.
C.The node does not have enough memory.
D.The pod was not scheduled onto a node.
AnswerB

The error 'image not found' confirms the image is missing.

Why this answer

Option B is correct because the pod's status indicates an ImagePullBackOff error, which occurs when the kubelet fails to pull the specified container image from the registry. This typically means the image name or tag is incorrect, the registry is unreachable, or the image does not exist in the registry. The exhibit shows the pod is stuck in a waiting state with the reason 'ErrImagePull' or 'ImagePullBackOff', directly pointing to a missing or inaccessible image.

Exam trap

Cisco often tests the distinction between pod scheduling failures (e.g., resource constraints, taints/tolerations) and container runtime failures (e.g., image pull errors), so candidates may confuse a 'Pending' pod with an 'ImagePullBackOff' pod, both of which are not running but have different root causes.

How to eliminate wrong answers

Option A is wrong because network policies in Kubernetes control traffic between pods, not image pull operations; image pulls are handled by the container runtime (e.g., containerd, CRI-O) and are subject to registry authentication and network connectivity, not NetworkPolicy objects. Option C is wrong because a memory shortage on the node would manifest as an OOMKilled or Pod eviction, not an ImagePullBackOff error; the exhibit shows no resource pressure events. Option D is wrong because the pod has been scheduled onto a node (as indicated by the pod status showing a node name), but the container fails to start due to the image pull issue; unscheduled pods would show a 'Pending' status with no node assigned.

307
MCQmedium

Which tool is specifically designed for distributed tracing and is a Cloud Native Computing Foundation (CNCF) graduated project?

A.Grafana
B.Fluentd
C.Jaeger
D.Prometheus
AnswerC

Jaeger is a graduated CNCF project for distributed tracing.

Why this answer

Jaeger is a CNCF graduated project focused on distributed tracing.

308
MCQeasy

Which component runs on each worker node and ensures that containers are running as specified in the Pod spec?

A.kubelet
B.kube-proxy
C.kube-scheduler
D.kube-controller-manager
AnswerA

The kubelet runs on each node and ensures containers are healthy.

Why this answer

The kubelet is the node agent that communicates with the control plane and manages containers on the node.

309
MCQmedium

Which component of the OpenTelemetry architecture is responsible for receiving data from instrumented applications and processing it before export?

A.OpenTelemetry SDK
B.OpenTelemetry API
C.OpenTelemetry Collector
D.OpenTelemetry exporter
AnswerC

The Collector handles ingestion, processing, and export.

Why this answer

The OpenTelemetry Collector receives, processes, and exports telemetry data.

310
MCQeasy

A Pod is in the 'Pending' state. What is the most likely cause?

A.The Pod is still being scheduled because no Node has enough resources
B.The container image is missing
C.The Service referencing the Pod does not exist
D.The application inside the container has crashed
AnswerA

The scheduler cannot place the Pod, so it remains Pending.

Why this answer

Pending typically means the Pod has been accepted but not yet scheduled, often due to insufficient resources or node availability.

311
MCQhard

A Service of type ClusterIP is not resolving DNS names for pods. The pods are running and can communicate with each other via IP addresses. Which component should be checked first?

A.The kubelet on the node where the pod is running
B.The Service's endpoint slices
C.kube-proxy on the nodes
D.CoreDNS pods in the kube-system namespace
AnswerD

CoreDNS provides DNS resolution for cluster services.

Why this answer

CoreDNS is the cluster DNS service that provides DNS resolution for services and pods. If DNS is not working, CoreDNS pods should be checked.

312
MCQeasy

Which of the following best describes the purpose of the CNCF (Cloud Native Computing Foundation)?

A.To develop proprietary cloud native software
B.To define the 12-factor app methodology
C.To host and promote open source cloud native projects
D.To provide certification exams for Kubernetes administrators
AnswerC

Why this answer

The CNCF's mission is to make cloud native computing ubiquitous by fostering and sustaining open source projects.

313
MCQmedium

A container image built using a Dockerfile with multiple layers is stored in a registry. When a node pulls this image, which statement about layers is true?

A.Layers that are already cached on the node are reused and only new layers are downloaded
B.Layers are merged into a single layer before download
C.All layers must be downloaded each time the image is pulled
D.Only the topmost layer is downloaded; lower layers are streamed from the registry
AnswerA

This is the core benefit of image layering — efficient caching and reuse.

Why this answer

Container images are composed of layers. If a node already has some layers cached from previous pulls, only the missing layers are downloaded. This saves bandwidth and time.

314
Multi-Selecteasy

Which TWO of the following tools are commonly used for distributed tracing in cloud-native environments? (Select two.)

Select 2 answers
A.Zipkin
B.Grafana
C.Jaeger
D.Fluentd
E.Prometheus
AnswersA, C

Zipkin is a distributed tracing system.

Why this answer

Jaeger and Zipkin are popular open-source distributed tracing systems.

315
MCQhard

In PromQL, which function would you use to calculate the per-second rate of increase of a counter over a specified time window?

A.rate()
B.delta()
C.avg_over_time()
D.increase()
AnswerA

rate() is the correct function for per-second rate of a counter.

Why this answer

The rate() function calculates the per-second average rate of increase of a counter over a time range.

316
MCQhard

A cloud-native application experiences intermittent failures when calling an external API. The team implements a pattern that allows the application to temporarily stop calling the failing API and serve stale data or a fallback response. Which resiliency pattern does this describe?

A.Circuit Breaker pattern
B.Retry pattern
C.Bulkhead pattern
D.Timeout pattern
AnswerA

The circuit breaker opens to stop calls and allows fallback.

Why this answer

The circuit breaker pattern prevents repeated calls to a failing service, allowing the system to degrade gracefully.

317
MCQeasy

What is the purpose of a readiness probe in a Kubernetes pod?

A.To determine if the pod should be terminated
B.To check if the pod is alive and restart it if not
C.To measure CPU usage of the container
D.To signal that the pod is ready to accept traffic
AnswerD

Correct. Readiness probe controls whether the pod receives traffic.

Why this answer

Readiness probe determines if a pod is ready to serve traffic. If it fails, the pod is removed from Service endpoints.

318
Multi-Selectmedium

Which TWO statements correctly describe the purpose of etcd in a Kubernetes cluster?

Select 2 answers
A.It stores the cluster state, including all Kubernetes objects.
B.It manages network rules for Pod-to-Pod communication.
C.It schedules Pods onto nodes based on resource availability.
D.It exposes the Kubernetes API for external access.
E.It is a distributed key-value store that provides high availability and consistency.
AnswersA, E

etcd is the backing store for all cluster data.

Why this answer

Option A is correct because etcd is the primary data store for all Kubernetes cluster state, including the configuration and status of every Kubernetes object (Pods, Services, Deployments, etc.). It stores this information as key-value pairs, and the Kubernetes API server is the only component that reads from and writes to etcd directly. Without etcd, the cluster would have no persistent record of its desired or current state.

Exam trap

CNCF often tests the distinction between the component that stores state (etcd) and the components that use that state (scheduler, controller manager, API server), so the trap here is confusing etcd's role as a passive data store with the active management functions of other control plane components.

319
Multi-Selectmedium

Which THREE of the following are valid ways to expose a set of pods as a network service in Kubernetes?

Select 3 answers
A.ClusterIP
B.NodePort
C.LoadBalancer
D.Ingress
E.ExternalName
AnswersA, B, C

ClusterIP exposes the service on a cluster-internal IP; it is the default type.

Why this answer

A ClusterIP service exposes the set of pods on a cluster-internal IP address, making it reachable only from within the cluster. This is the default service type in Kubernetes and is valid for internal communication between workloads. It does not provide external access, but it is a core method for exposing pods as a network service.

Exam trap

CNCF often tests the distinction between service types (ClusterIP, NodePort, LoadBalancer) and other networking objects like Ingress or ExternalName, trapping candidates who think Ingress is a service type or that ExternalName exposes pods.

320
MCQhard

In OpenTelemetry, what is the purpose of the Collector component?

A.Instrument code automatically
B.Receive, process, and export telemetry data
C.Visualize traces and metrics
D.Aggregate logs from multiple sources
AnswerB

The Collector is a vendor-agnostic pipeline for telemetry data.

Why this answer

The OpenTelemetry Collector is a vendor-agnostic agent or gateway that receives telemetry data (traces, metrics, logs) from instrumented applications, processes it (e.g., batching, filtering, sampling), and exports it to one or more backends (e.g., Jaeger, Prometheus, or any OTLP-compatible system). It decouples data generation from data export, enabling flexible pipeline management without modifying application code.

Exam trap

CNCF often tests the distinction between the Collector's role (data pipeline) and other components like SDKs (instrumentation) or backends (visualization/storage), so candidates mistakenly associate the Collector with auto-instrumentation or visualization.

How to eliminate wrong answers

Option A is wrong because automatic code instrumentation is the role of OpenTelemetry SDKs and auto-instrumentation agents (e.g., Java agent), not the Collector; the Collector does not instrument code. Option C is wrong because visualization of traces and metrics is the responsibility of backend tools like Jaeger UI, Grafana, or Prometheus, not the Collector, which only processes and forwards data. Option D is wrong because while the Collector can handle logs, its primary purpose is not limited to log aggregation; it is a unified pipeline for traces, metrics, and logs, and log aggregation alone is a narrower function often served by tools like Fluentd or Logstash.

321
Drag & Dropmedium

Drag and drop the steps to create a Kubernetes Namespace and deploy an application into it into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create namespace, then deploy resources specifying that namespace, and verify.

322
MCQmedium

A pod is stuck in 'Pending' state. Which of the following is a likely cause?

A.The pod's liveness probe failed
B.The pod's readiness probe failed
C.Insufficient cluster resources (CPU/memory) to schedule the pod
D.The container image is missing
AnswerC

If no node has enough resources, the pod stays Pending.

Why this answer

Pending usually means the scheduler cannot find a node that meets the pod's resource requests or other constraints.

323
MCQmedium

A pod is stuck in Pending state. You run 'kubectl describe pod' and see the event '0/3 nodes are available: 1 node(s) had taint(s) that the pod didn't tolerate, 2 node(s) had insufficient memory.'. What is the most likely cause?

A.The pod does not have tolerations for the node's taints and memory is insufficient on other nodes
B.The kube-scheduler is not running
C.The container runtime is not installed on any node
D.The pod's resource requests exceed available resources on all nodes
AnswerA

Why this answer

The pod cannot be scheduled because no node meets its requirements. Two nodes have insufficient memory, and one node has taints that the pod does not tolerate. The primary issue here is insufficient memory on two nodes, but the taint issue also prevents scheduling.

However, the event indicates the pod cannot tolerate the taints on one node. The most direct cause is that the pod lacks tolerations for the node's taints.

324
MCQeasy

A Kubernetes administrator is troubleshooting a pod that is stuck in CrashLoopBackOff. The pod's restart count is increasing. Which initial step should the administrator take to diagnose the issue?

A.Run 'kubectl describe pod <pod-name>' to check events
B.Check the Prometheus metrics for the pod's CPU usage
C.Run 'kubectl exec -it <pod-name> -- /bin/sh' to inspect the container
D.Run 'kubectl logs <pod-name>' to view the application logs
AnswerD

Logs often contain error messages that explain why the application is crashing.

Why this answer

Option D is correct because when a pod is in CrashLoopBackOff, the immediate priority is to inspect the application logs to understand why the container is failing. `kubectl logs <pod-name>` retrieves the stdout/stderr output from the container, which typically contains error messages, stack traces, or configuration issues that caused the crash. This is the most direct and efficient first step before deeper investigation.

Exam trap

The trap here is that candidates often jump to `kubectl describe pod` (Option A) because it shows events and status, but they overlook that application-level errors are only visible in the container logs, not in the pod events.

How to eliminate wrong answers

Option A is wrong because `kubectl describe pod` shows events and status details, but it does not show the application's runtime logs; it is useful for cluster-level issues (e.g., image pull failures, node problems) but not for application crashes. Option B is wrong because Prometheus metrics are for long-term monitoring and alerting, not for real-time crash diagnosis; CPU usage data will not reveal why a process exited. Option C is wrong because `kubectl exec` requires a running container, but a pod in CrashLoopBackOff has a container that is repeatedly crashing and may not be running at the moment the command is issued, causing the exec to fail.

325
MCQmedium

Which Kubernetes resource should be used to run a one-time task that performs a computation and then exits?

A.DaemonSet
B.StatefulSet
C.Job
D.Deployment
AnswerC

Job is designed for batch processing.

Why this answer

A Kubernetes Job is designed specifically for finite, one-time tasks that run to completion and then exit. Unlike controllers that maintain a desired number of continuously running Pods, a Job creates one or more Pods and tracks their successful termination, making it the correct choice for a computation that should run once and stop.

Exam trap

The trap here is that candidates confuse a Job with a Deployment because both can run containers, but a Deployment is designed for long-running services, not for tasks that should terminate after completion.

How to eliminate wrong answers

Option A is wrong because a DaemonSet ensures that a copy of a Pod runs on every (or selected) Node in the cluster, intended for long-running background services like log collectors or monitoring agents, not for one-time tasks. Option B is wrong because a StatefulSet manages stateful applications with stable, unique network identities and persistent storage, designed for workloads like databases that require ordered deployment and scaling, not ephemeral computations. Option D is wrong because a Deployment manages a ReplicaSet to maintain a desired number of continuously running Pods, supporting rolling updates and self-healing, which is unnecessary overhead for a task that should exit after completion.

326
MCQmedium

Which component runs on every Kubernetes node and ensures that the containers in a pod are running?

A.kube-proxy
B.kube-scheduler
C.kubelet
D.container runtime
AnswerC

The kubelet is the node agent that manages pods.

Why this answer

The kubelet is the primary node agent that watches for pod specs and ensures the containers are healthy.

327
MCQhard

An organization wants to manage infrastructure across multiple cloud providers using a single declarative configuration language. Which tool is best suited for this requirement?

A.Kustomize
B.Helm
C.Terraform
D.Pulumi
AnswerD

Pulumi supports multi-cloud and allows infrastructure as code using TypeScript, Python, Go, etc.

Why this answer

Pulumi supports multiple clouds and allows infrastructure definition using general-purpose programming languages, enabling multi-cloud management with a single tool.

328
MCQmedium

What is the purpose of a liveness probe in a Kubernetes pod?

A.To check if the pod is scheduled on a node
B.To check if the container has started successfully
C.To check if the application is ready to serve traffic
D.To check if the application is still running; if not, restart the container
AnswerD

Liveness probes indicate whether the container is alive.

Why this answer

A liveness probe in Kubernetes is used to determine if a container is still running and healthy. If the probe fails, the kubelet kills the container and restarts it based on the pod's restart policy. This ensures that applications that have entered a deadlock or hung state are automatically recovered without manual intervention.

Exam trap

The trap here is that candidates often confuse liveness probes with readiness probes, mistakenly thinking liveness determines traffic readiness, but liveness is solely about container health and automatic restarts, not service connectivity.

How to eliminate wrong answers

Option A is wrong because checking if a pod is scheduled on a node is the role of the Kubernetes scheduler and is reflected in the pod's status, not a liveness probe. Option B is wrong because checking if a container has started successfully is the purpose of a startup probe, which runs before other probes to allow slow-starting applications time to initialize. Option C is wrong because checking if the application is ready to serve traffic is the purpose of a readiness probe, which controls whether the pod receives traffic from Services, not whether it should be restarted.

329
MCQeasy

Which of the following is a core principle of cloud native architecture as defined by the CNCF?

A.Monolithic application design
B.Manual scaling of applications
C.Static infrastructure provisioning
D.Microservices packaged in containers
AnswerD

Microservices in containers are a key cloud native principle.

Why this answer

The CNCF defines cloud native architecture as using microservices, containers, dynamic orchestration, and DevOps.

330
MCQeasy

Which of the following is the correct definition of a Service Level Indicator (SLI)?

A.A formal contract between a service provider and a customer
B.A target value or range for a metric, agreed upon with stakeholders
C.A quantitative measure of a specific aspect of the service's reliability
D.A tool for aggregating logs from multiple sources
AnswerC

An SLI is exactly that: a metric that indicates the level of service.

Why this answer

An SLI is a specific metric that measures a particular aspect of service reliability, such as request latency or error rate.

331
MCQeasy

Which GitOps tool is specifically designed for Kubernetes and follows the declarative GitOps pattern, continuously reconciling the desired state from a Git repository?

A.ArgoCD
B.Helm
C.Terraform
D.Jenkins
AnswerA

ArgoCD is purpose-built for GitOps on Kubernetes.

Why this answer

ArgoCD is a declarative GitOps continuous delivery tool for Kubernetes that syncs application state with a Git repository.

332
MCQmedium

A development team wants to deploy a serverless function that triggers when a file is uploaded to an S3 bucket. Which cloud native technology is most appropriate for this scenario?

A.AWS Lambda
B.Helm
C.Knative
D.Istio
AnswerC

Knative is a CNCF incubating project that provides serverless capabilities on Kubernetes, including event-driven functions.

Why this answer

Knative is a Kubernetes-based platform to build, deploy, and manage serverless workloads, including event-driven functions. AWS Lambda is a proprietary service, not a cloud native project.

333
Drag & Dropmedium

Drag and drop the steps to troubleshoot a Pod stuck in CrashLoopBackOff into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with describe for events, then logs for errors, check resources, verify image/command, then fix and redeploy.

334
Multi-Selectmedium

Which TWO of the following are characteristics of immutable infrastructure? (Select two.)

Select 2 answers
A.Servers are never modified after they are deployed
B.Containers are used exclusively
C.Infrastructure is version-controlled and tested
D.New versions are deployed by replacing the entire server with a new image
E.Configuration updates are applied directly to running servers
AnswersA, D

Immutable infrastructure treats servers as disposable; any change requires redeployment.

Why this answer

Immutable infrastructure means that components are replaced rather than changed in place. Option A (servers are never modified after deployment) and Option D (changes are made by redeploying with a new image) are correct. Option B describes mutable infrastructure; Option C is not a characteristic; Option E is about containers in general but not specifically immutable infrastructure.

335
MCQmedium

Which of the following is true about Kubernetes Namespaces?

A.Objects in different namespaces cannot communicate with each other
B.Namespaces allow you to divide cluster resources between multiple users
C.Namespaces are global across all clusters
D.Namespaces provide network isolation by default
AnswerB

Namespaces enable resource quotas and RBAC to separate teams.

Why this answer

Namespaces provide a logical separation of resources within a cluster, allowing multiple teams or projects to coexist.

336
Multi-Selectmedium

Which TWO of the following are deployment patterns that can be used to update applications with minimal downtime? (Choose two.)

Select 2 answers
A.DaemonSet deployment
B.Sidecar deployment
C.Recreate deployment
D.Blue-green deployment
E.Canary deployment
AnswersD, E

Blue-green deploys a new version alongside the old and switches traffic after testing.

Why this answer

Blue-green and canary are deployment patterns that reduce downtime by gradually shifting traffic. Rolling update is also a pattern but the question asks for minimal downtime; blue-green and canary are specifically designed for that.

337
MCQmedium

A developer wants to deploy a stateless web application that should scale to 5 replicas. Each replica must be identical and should be automatically replaced if it fails. Which Kubernetes resource should be used?

A.StatefulSet
B.DaemonSet
C.Deployment
D.ReplicationController
AnswerC

Deployment manages ReplicaSets and provides declarative updates and self-healing.

Why this answer

A Deployment is the correct resource because it manages a ReplicaSet to ensure the desired number of identical, stateless pod replicas (5) are running. It provides declarative updates, self-healing (automatic replacement of failed pods), and scaling capabilities, which directly match the requirement for a stateless web application.

Exam trap

The trap here is that candidates often confuse StatefulSet with Deployment for stateless apps because both can manage multiple replicas, but StatefulSet is specifically for stateful workloads requiring ordered deployment and stable identities, not for identical, interchangeable replicas.

How to eliminate wrong answers

Option A is wrong because StatefulSet is designed for stateful applications that require stable, unique network identities and persistent storage, not for stateless web apps where replicas are identical and can be replaced arbitrarily. Option B is wrong because DaemonSet ensures that a copy of a pod runs on every (or selected) node in the cluster, which is used for cluster-level services like logging or monitoring, not for scaling a stateless web app to a specific replica count. Option D is wrong because ReplicationController is the older, deprecated predecessor of Deployment; it can maintain a desired number of pod replicas but lacks advanced features like rolling updates, declarative management, and is not the recommended resource for modern Kubernetes deployments.

338
Multi-Selectmedium

Which TWO of the following are key characteristics of cloud-native applications? (Select two.)

Select 2 answers
A.Monolithic architecture
B.Microservices architecture
C.Containerized deployment
D.Manual scaling
E.Long-lived virtual machines
AnswersB, C

Microservices are a core pattern in cloud-native.

Why this answer

Cloud-native applications are designed as microservices and use containers for deployment, enabling scalability and resilience.

339
MCQeasy

Which Kubernetes resource is used to run a batch job that runs to completion?

A.DaemonSet
B.StatefulSet
C.Job
D.Deployment
AnswerC

Jobs manage pods that run until completion.

Why this answer

Jobs are designed for batch processing and run pods until successful completion.

340
Multi-Selecthard

Which TWO of the following are recommended practices for achieving observability in a Kubernetes cluster?

Select 2 answers
A.Use a single centralized logging solution to aggregate logs from all components.
B.Store all debug logs for a minimum of 90 days for compliance.
C.Include correlation IDs in structured logs to enable tracing across services.
D.Disable leader election for monitoring components to reduce complexity.
E.Use Prometheus with a pull-based model to scrape metrics from pods.
AnswersC, E

Correlation IDs help trace requests across microservices.

Why this answer

Option C is correct because including correlation IDs in structured logs is a key observability practice that enables distributed tracing across microservices. In Kubernetes, where requests often traverse multiple pods and services, correlation IDs allow you to link logs from different components into a single transaction flow, which is essential for debugging and understanding system behavior.

Exam trap

CNCF often tests the misconception that centralized logging is always best, but the trap here is that observability emphasizes distributed, resilient data collection over a single monolithic log sink, and that debug logs are not subject to long-term compliance retention like audit logs.

341
Multi-Selecthard

An administrator wants to perform a rolling update of a Deployment. Which TWO actions will achieve this?

Select 2 answers
A.Run 'kubectl set image deployment/myapp myapp=myapp:v2'
B.Run 'kubectl scale deployment myapp --replicas=0' then 'kubectl scale deployment myapp --replicas=5'
C.Run 'kubectl delete deployment' and then 'kubectl create deployment' with the new image
D.Run 'kubectl rollout undo deployment/myapp'
E.Edit the Deployment YAML to change the image version and run 'kubectl apply -f deployment.yaml'
AnswersA, E

This command updates the container image and triggers a rolling update.

Why this answer

Option A is correct because 'kubectl set image deployment/myapp myapp=myapp:v2' directly updates the container image in the Deployment's pod template, which triggers a rolling update by default. The Deployment controller then creates a new ReplicaSet with the updated image and gradually scales it up while scaling down the old ReplicaSet, ensuring zero downtime.

Exam trap

The trap here is that candidates may confuse scaling (Option B) or deleting/recreating (Option C) with a rolling update, or think that 'rollout undo' (Option D) is a way to update to a new image, when it is actually for reverting to a previous version.

342
MCQmedium

A DevOps engineer wants to deploy a stateful application that requires stable network identities and persistent storage. Which Kubernetes resource is most appropriate?

A.DaemonSet
B.StatefulSet
C.Deployment
D.ReplicaSet
AnswerB

StatefulSet provides stable, unique network identifiers and persistent storage for stateful applications.

Why this answer

A StatefulSet is designed for stateful applications that require stable, unique network identifiers and persistent storage.

343
Multi-Selecthard

Which THREE of the following are true about the Open Container Initiative (OCI)? (Select 3)

Select 3 answers
A.OCI is governed solely by Docker Inc.
B.OCI only applies to Linux containers
C.OCI defines the container image format specification
D.OCI standards are vendor-neutral
E.OCI defines a standard for container runtime execution
AnswersC, D, E

OCI image spec defines the format.

Why this answer

Option C is correct because the Open Container Initiative (OCI) defines the Image Specification, which standardizes the format and content of container images. This ensures that any OCI-compliant image can be run by any OCI-compliant runtime, enabling interoperability across different container platforms.

Exam trap

CNCF often tests the misconception that OCI is Docker-specific or Linux-only, when in fact it is a vendor-neutral, cross-platform standard governed by the Linux Foundation.

344
Multi-Selectmedium

Which TWO of the following are benefits of using a container orchestration platform like Kubernetes? (Choose two.)

Select 2 answers
A.Inability to manage container networking
B.Requirement to run applications on a single node
C.Self-healing by restarting failed containers
D.Manual rollback of application versions
E.Automated scaling of applications based on demand
AnswersC, E

Kubernetes restarts failed pods automatically.

Why this answer

Orchestration provides automated scaling and self-healing. Manual scaling and single-node deployment are not benefits.

345
Multi-Selectmedium

Which THREE of the following are valid Kubernetes resource types?

Select 3 answers
A.DockerImage
B.Deployment
C.ConfigMap
D.VirtualMachine
E.Service
AnswersB, C, E

A Deployment is a standard resource.

Why this answer

Deployment, Service, and ConfigMap are core Kubernetes resources. DockerImage and VirtualMachine are not native Kubernetes objects.

346
Multi-Selectmedium

Which two components are part of the Kubernetes worker node? (Select TWO)

Select 2 answers
A.kubelet
B.kube-controller-manager
C.etcd
D.kube-scheduler
E.container runtime
AnswersA, E

Kubelet manages pods on the node.

Why this answer

Kubelet and container runtime are essential components running on each worker node. Kube-proxy also runs on worker nodes but is often considered part of the node. The question asks for two, and the most fundamental are kubelet and container runtime.

347
Multi-Selectmedium

Which THREE are core principles of the Twelve-Factor App methodology?

Select 3 answers
A.Store config in codebase for traceability
B.Explicitly declare and isolate dependencies
C.Tight coupling to backing services
D.Treat logs as event streams
E.One codebase tracked in revision control, many deploys
AnswersB, D, E

Dependencies declared in manifest.

Why this answer

Option B is correct because the Twelve-Factor App methodology mandates that dependencies must be explicitly declared and isolated via a dependency declaration manifest (e.g., Gemfile, package.json, requirements.txt) and a dependency isolation tool (e.g., Bundler, npm, pip). This ensures that the application never implicitly depends on system-wide packages, eliminating 'it works on my machine' issues and guaranteeing consistent behavior across all environments.

Exam trap

CNCF often tests the misconception that storing configuration in the codebase provides traceability, but the Twelve-Factor App explicitly forbids this to maintain strict separation of config from code and avoid accidental exposure of secrets.

348
Multi-Selectmedium

Which TWO of the following are required fields when defining a container in a Kubernetes Pod spec? (Choose 2)

Select 2 answers
A.env
B.image
C.name
D.resources
E.ports
AnswersB, C

The 'image' field specifies the container image to run and is required.

Why this answer

In a Kubernetes Pod spec, the `name` and `image` fields are mandatory for each container definition. The `name` field uniquely identifies the container within the Pod, and the `image` field specifies the container image to run (e.g., `nginx:1.25`). Without these two fields, the Pod creation will fail with a validation error from the Kubernetes API server.

Exam trap

CNCF often tests the misconception that `ports` or `resources` are required because they appear in most example Pod specs, but the KCNA exam expects you to know that only `name` and `image` are mandatory per the Kubernetes API specification.

349
MCQmedium

A DevOps engineer has created a ConfigMap named 'app-config' with some configuration data. They want to make that data available as environment variables in a pod. Which field in the pod spec should they use to achieve this?

A.spec.volumes
B.spec.containers[].volumeMounts
C.spec.containers[].envFrom
D.spec.containers[].env
AnswerC

envFrom takes a list of configMapRef or secretRef to populate environment variables.

Why this answer

Option C is correct because the `envFrom` field in the container spec allows you to inject all key-value pairs from a ConfigMap (or Secret) as environment variables into the container. This is the most direct and efficient way to expose ConfigMap data as environment variables without needing to specify each key individually.

Exam trap

The trap here is that candidates often confuse `envFrom` with `env` or `volumeMounts`, thinking that mounting a ConfigMap as a volume or using individual `env` entries is the only way to expose its data, but `envFrom` is the specific field designed for bulk injection of ConfigMap keys as environment variables.

How to eliminate wrong answers

Option A is wrong because `spec.volumes` defines volumes at the pod level, not environment variables; it is used for mounting data as files. Option B is wrong because `spec.containers[].volumeMounts` mounts a volume into a container's filesystem, not into environment variables. Option D is wrong because `spec.containers[].env` is used to set individual environment variables explicitly, but it does not automatically pull all data from a ConfigMap; it requires manual mapping of each key using `valueFrom`.

350
MCQmedium

Which Kubernetes controller ensures that a specified number of pod replicas are running at all times?

A.ReplicaSet
B.Job
C.ReplicationController
D.DaemonSet
AnswerA

Why this answer

A ReplicaSet is the Kubernetes controller that ensures a specified number of pod replicas are running at all times. It uses a label selector to match pods and maintains the desired replica count by creating or deleting pods as needed. ReplicaSet is the successor to ReplicationController and is primarily used by Deployments to manage pod scaling and self-healing.

Exam trap

CNCF often tests the distinction between ReplicaSet and ReplicationController, trapping candidates who think ReplicationController is still the primary controller for replica management, when in fact ReplicaSet is the modern, recommended controller.

How to eliminate wrong answers

Option B is wrong because a Job controller is designed to run a specified number of pods to completion, not to maintain a continuous replica count. Option C is wrong because ReplicationController is the older, deprecated controller that also ensures a specified number of pod replicas, but it has been superseded by ReplicaSet with more flexible label selectors; however, the question asks for the current correct answer, and ReplicaSet is the standard. Option D is wrong because a DaemonSet ensures that a copy of a pod runs on every node (or a subset of nodes), not a specified number of replicas cluster-wide.

351
Multi-Selecthard

Which TWO are characteristics of the microservices architecture that are supported by container orchestration?

Select 2 answers
A.Tight coupling between services to ensure performance
B.Independent deployment of each service
C.Decomposition of an application into small, independent services
D.Monolithic codebase with centralized deployment
E.Use of a single, shared database for all services
AnswersB, C

Each microservice can be deployed, updated, and scaled independently without affecting others.

Why this answer

Options A and D are correct. Microservices decompose an application into loosely coupled services (A) that can be deployed independently (D). Option B is false — microservices should be loose coupling.

Option C is false — microservices favor decentralized data management. Option E is false — microservices are typically small, not monolithic.

352
Multi-Selectmedium

Which two of the following are valid ways to expose a Pod's container port to other resources? (Select two.)

Select 2 answers
A.Create a Service of type ClusterIP pointing to the Pod's port
B.Add a containerPort field in the Pod spec
C.Set the pod's hostNetwork to true
D.Create an Ingress that routes to the Service
E.Use kubectl port-forward
AnswersA, D

Service exposes the pod's port stably.

Why this answer

A Service is the standard way to expose a pod's port. An Ingress can expose HTTP routes to a Service. containerPort in the pod spec is declarative but does not create exposure by itself; it documents the port. kubectl port-forward is for debugging, not permanent exposure.

353
MCQmedium

Which deployment strategy is characterized by gradually shifting traffic from an old version to a new version of an application, often requiring a service mesh or ingress controller to manage traffic splitting?

A.Rolling update
B.Canary deployment
C.Blue-green deployment
D.Recreate
AnswerB

Why this answer

A canary deployment gradually shifts traffic to the new version, allowing monitoring before full rollout. Option A (Rolling update) replaces pods incrementally without traffic splitting. Option B (Blue-green) switches traffic entirely between two environments.

Option D (Recreate) kills all old pods before creating new ones.

354
MCQeasy

Which of the following is a key principle of microservices architecture?

A.Shared database schema for all services
B.Tight coupling between services
C.Loose coupling and independent deployability
D.Building a large, monolithic codebase
AnswerC

Each microservice can be deployed, scaled, and updated independently.

Why this answer

Microservices architecture emphasizes decomposition of an application into small, independently deployable services that communicate over well-defined APIs. Option B is correct. Option A describes a monolith; Option C is not a principle; Option D refers to containerization.

355
Multi-Selecthard

Which THREE are valid ways to perform a rolling update of a Deployment in Kubernetes? (Select THREE.)

Select 3 answers
A.Manually delete all pods and let the Deployment recreate them
B.Change the number of replicas
C.Update the container image to a new version
D.Modify the environment variables in the pod spec
E.Edit the deployment's labels
AnswersC, D, E

Changing the image in the Deployment spec triggers a rolling update.

Why this answer

A rolling update can be triggered by updating the container image, changing the image tag, or modifying a label selector (though changing selector is not recommended). Scaling is not an update.

356
MCQmedium

When creating a Deployment, you want to ensure that only a certain number of pods run at a time across all nodes. Which field in the Deployment spec controls this?

A.spec.replicas
B.spec.selector
C.spec.minReadySeconds
D.spec.template
AnswerA

spec.replicas sets the desired number of pods.

Why this answer

The `spec.replicas` field in a Deployment spec defines the desired number of identical Pod replicas that should be running at any given time. This field directly controls the count of Pods across all nodes in the cluster, ensuring that exactly that many Pods are maintained by the ReplicaSet controller. Option A is correct because it is the only field that sets the target Pod count.

Exam trap

The trap here is that candidates confuse `spec.replicas` with `spec.selector`, thinking the selector controls the number of Pods, but the selector only determines which Pods are managed, not how many.

How to eliminate wrong answers

Option B is wrong because `spec.selector` defines a label query used to identify which Pods the Deployment manages, not the number of Pods. Option C is wrong because `spec.minReadySeconds` controls the minimum time a Pod must be ready before it is considered available, not the number of Pods. Option D is wrong because `spec.template` defines the Pod template (containers, volumes, etc.) used to create new Pods, not the desired count.

357
MCQmedium

A developer has created a Deployment with 3 replicas. The application should be reachable from other Pods within the same cluster. Which Kubernetes resource should be used to provide a stable network endpoint?

A.Ingress
B.Service
C.PersistentVolumeClaim
D.ConfigMap
AnswerB

Services provide stable endpoints for Pod communication.

Why this answer

A Service provides a stable network endpoint (ClusterIP) that load-balances traffic across the Pod replicas, abstracting away Pod IP changes due to restarts or scaling. This allows other Pods within the cluster to reach the application reliably using the Service's DNS name, without needing to track individual Pod IPs.

Exam trap

CNCF often tests the misconception that an Ingress is required for any network access, but the trap here is that Ingress is only for external (north-south) traffic, while internal Pod-to-Pod communication uses a Service.

How to eliminate wrong answers

Option A is wrong because an Ingress is an API object that manages external HTTP/HTTPS access to Services, not internal cluster communication; it requires a Service to route traffic to Pods. Option C is wrong because a PersistentVolumeClaim is used to request storage resources, not to provide a network endpoint for Pod-to-Pod communication. Option D is wrong because a ConfigMap is used to inject configuration data (e.g., environment variables, files) into Pods, not to expose a stable network address.

358
MCQmedium

What is the primary function of a service mesh like Istio?

A.To build container images
B.To handle inter-service communication with features like traffic control and security
C.To manage container orchestration
D.To provide persistent storage for stateful applications
AnswerB

Service mesh adds a dedicated infrastructure layer for managing service-to-service communication.

Why this answer

A service mesh provides observability, traffic management, and security for microservices communication.

359
MCQmedium

You need to store a sensitive database password in Kubernetes. Which resource should you use?

A.PersistentVolume
B.ConfigMap
C.ServiceAccount
D.Secret
AnswerD

Secret is intended for sensitive data.

Why this answer

Secrets are designed to store sensitive data such as passwords, tokens, or keys. They are base64 encoded and can be mounted or injected as environment variables.

360
MCQmedium

A pod is experiencing high memory usage. The administrator wants to enforce that the pod is terminated if it exceeds a memory limit and restarted automatically, but also wants to guarantee a minimum amount of memory for the pod. Which resource specification should be used in the container definition?

A.spec.containers[].resources.requests.memory only
B.spec.containers[].resources.limits.memory and requests.cpu
C.spec.containers[].resources.limits.memory only
D.spec.containers[].resources.requests.memory and limits.memory
AnswerD

Requests guarantee the minimum; limits cap the maximum. If memory exceeds limits, the pod is OOMKilled and restarted.

Why this answer

Option D is correct because setting both `requests.memory` and `limits.memory` guarantees a minimum memory allocation (the request) while enforcing a hard cap (the limit). If the pod exceeds the memory limit, it is terminated (OOMKilled) and, if part of a Deployment or StatefulSet, the controller automatically restarts it. This satisfies the requirement for both guaranteed minimum and enforced maximum with automatic restart.

Exam trap

CNCF often tests the misconception that setting only `limits.memory` is sufficient for both guarantee and enforcement, but without `requests.memory` the pod has no guaranteed minimum and may be evicted under node pressure, failing the 'guarantee a minimum' requirement.

How to eliminate wrong answers

Option A is wrong because `requests.memory` only sets the minimum guaranteed memory but does not enforce any upper limit; the pod could consume unlimited memory and cause node instability. Option B is wrong because `limits.memory` and `requests.cpu` do not address memory limits at all — `requests.cpu` only guarantees CPU, not memory, so the pod could still exceed memory without being terminated. Option C is wrong because `limits.memory` alone enforces a hard cap but does not guarantee a minimum memory allocation; the pod could be starved or evicted if the node is under pressure, failing the 'guarantee a minimum amount of memory' requirement.

361
MCQhard

A microservice application is experiencing high latency during traffic spikes. The team identifies that the database connection pool is exhausted. They want to implement a pattern that helps decouple the microservice from direct database connections and smooth out traffic bursts. Which design pattern should they apply?

A.Bulkhead pattern
B.Circuit Breaker pattern
C.Queue-based Load Leveling pattern
D.Retry pattern
AnswerC

A message queue buffers requests, decouples services, and smooths traffic spikes.

Why this answer

The Queue-based Load Leveling pattern uses a message queue (e.g., RabbitMQ, Amazon SQS) as a buffer between the microservice and the database. When traffic spikes occur, requests are queued and processed at a manageable rate, preventing the database connection pool from being exhausted. This decouples the service from direct database connections and smooths out bursts, directly addressing the latency issue.

Exam trap

CNCF often tests the distinction between patterns that handle failures (Circuit Breaker, Retry) versus patterns that manage load (Queue-based Load Leveling), and the trap here is that candidates confuse 'smoothing traffic bursts' with 'preventing repeated failures,' leading them to pick the Circuit Breaker or Retry pattern incorrectly.

How to eliminate wrong answers

Option A is wrong because the Bulkhead pattern isolates resources (e.g., thread pools) within a service to prevent cascading failures, but it does not buffer traffic spikes or decouple from database connections. Option B is wrong because the Circuit Breaker pattern monitors for failures and opens the circuit to stop requests temporarily, but it does not smooth out traffic bursts or prevent connection pool exhaustion during spikes. Option D is wrong because the Retry pattern automatically retries failed operations, but it can exacerbate connection pool exhaustion by adding more load during traffic spikes, not decouple or level the load.

362
MCQmedium

A pod is stuck in the 'Pending' state. You run 'kubectl describe pod mypod' and see the event: '0/3 nodes are available: 1 node had taint that the pod didn't tolerate, 2 Insufficient cpu.' What is the most likely cause?

A.The pod's liveness probe is failing
B.The pod's resource requests exceed available node capacity and a node taint is not tolerated
C.The pod's container runtime is not installed
D.The pod's image pull secret is missing
AnswerB

The events indicate insufficient CPU and an untolerated taint, preventing scheduling.

Why this answer

The pod is in 'Pending' state because the scheduler cannot find a node that meets its requirements. The event '0/3 nodes are available: 1 node had taint that the pod didn't tolerate, 2 Insufficient cpu' directly indicates that the pod's resource requests exceed the available CPU on two nodes, and the remaining node has a taint that the pod does not tolerate. This matches option B: the pod's resource requests exceed available node capacity and a node taint is not tolerated.

Exam trap

The trap here is that candidates may confuse 'Pending' state with post-scheduling issues like probe failures or image pull errors, but the event message explicitly points to scheduling failures (resource insufficiency and taint intolerance), which are the only reasons a pod remains unscheduled.

How to eliminate wrong answers

Option A is wrong because a failing liveness probe would cause the pod to be restarted or marked as 'CrashLoopBackOff', not stuck in 'Pending' — liveness probes only run after the pod is scheduled and started. Option C is wrong because if the container runtime were not installed, the kubelet would report a 'ContainerRuntimeNotReady' condition, and the pod would not even be considered for scheduling; the scheduler would not produce 'Insufficient cpu' events. Option D is wrong because a missing image pull secret would cause an 'ImagePullBackOff' or 'ErrImagePull' error after the pod is scheduled, not a 'Pending' state with resource-related scheduling failures.

363
MCQmedium

In distributed tracing, what is a 'span'?

A.A metric measuring request latency
B.A single logical operation within a trace
C.A collection of related traces
D.A log entry with trace context
AnswerB

A span represents one operation, such as a function call or a request.

Why this answer

A span represents a unit of work in a distributed system, often a single operation like an HTTP request or database call.

364
MCQmedium

A developer creates a Deployment with 3 replicas. The developer runs 'kubectl get pods' immediately after creation and sees that only 1 pod is in Running state, and the other 2 are Pending. What is the most likely reason for this?

A.The cluster does not have enough resources (CPU/memory) to schedule the additional pods
B.The Deployment's YAML has a syntax error
C.The container image is not available on the worker nodes
D.The kubelet on the node is not running
AnswerA

If nodes lack sufficient resources, new pods remain Pending until resources become available or are released.

Why this answer

When a Pod remains in Pending state, it indicates that the scheduler cannot find a suitable node to place it. The most common cause is insufficient cluster resources (CPU or memory) to accommodate the additional Pods, as the scheduler checks node allocatable resources against Pod resource requests. With 2 out of 3 Pods pending, the cluster likely has enough resources for only one replica, leaving the others unscheduled.

Exam trap

CNCF often tests the distinction between Pod lifecycle phases — Pending means scheduling failure, not image or runtime issues — so candidates mistakenly associate Pending with image pull errors or node problems rather than resource insufficiency.

How to eliminate wrong answers

Option B is wrong because a syntax error in the Deployment YAML would cause the API server to reject the resource creation entirely, resulting in no Pods being created at all, not a mix of Running and Pending Pods. Option C is wrong because if the container image were unavailable, the Pods would transition to ImagePullBackOff or ErrImagePull state, not remain Pending — Pending means scheduling hasn't occurred yet. Option D is wrong because if the kubelet were not running on a node, that node would be marked as NotReady, but the scheduler would still attempt to schedule Pods to other nodes; the issue here is that no node has enough resources, not that a node is offline.

365
Multi-Selectmedium

Which two components are part of the Kubernetes control plane? (Select two.)

Select 2 answers
A.etcd
B.kube-proxy
C.kube-apiserver
D.kubelet
E.container runtime
AnswersA, C

etcd is a control plane component.

Why this answer

The control plane includes kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy are worker node components.

366
Multi-Selectmedium

Which two of the following are valid ways to expose a Deployment externally to the internet? (Select TWO)

Select 2 answers
A.Create a Service of type ClusterIP
B.Create an Ingress resource
C.Create a Service of type LoadBalancer
D.Create a Headless Service
E.Create a Service of type NodePort
AnswersC, E

LoadBalancer provisions an external load balancer and assigns a public IP.

Why this answer

Option C is correct because a Service of type LoadBalancer provisions an external load balancer (e.g., in cloud environments like AWS, GCP, or Azure) that assigns a public IP or DNS name, making the Deployment directly accessible from the internet. This is a standard method for exposing services externally in Kubernetes.

Exam trap

The trap here is that candidates often confuse Ingress as a standalone external exposure method, forgetting that Ingress requires a backing Service (typically NodePort or LoadBalancer) to actually route traffic from the internet.

367
Multi-Selectmedium

Which TWO statements about containers are true compared to virtual machines? (Select TWO.)

Select 2 answers
A.Containers are more lightweight and start faster than VMs
B.Containers include a full guest operating system
C.Containers are more portable across different environments
D.Containers provide stronger isolation than VMs
E.Containers require a hypervisor to run
AnswersA, C

Because they share the host kernel and do not need to boot an OS, containers are lightweight and start quickly.

Why this answer

Containers share the host OS kernel, making them lightweight and fast to start, and they are more portable because they bundle only the application and its dependencies.

368
MCQmedium

Which component is responsible for aggregating metrics from Kubernetes nodes and exposing them to the metrics API?

A.Prometheus Server
B.Grafana
C.metrics-server
D.Fluentd
AnswerC

Correct. The metrics-server is a cluster-wide aggregator of resource usage data.

Why this answer

The metrics-server is the correct component because it is specifically designed to collect resource metrics (CPU and memory) from the kubelet on each node via the Summary API and expose them through the Kubernetes Metrics API. This allows tools like `kubectl top` and the Horizontal Pod Autoscaler to access real-time resource usage without requiring a full monitoring stack.

Exam trap

The trap here is that candidates often confuse Prometheus (a full monitoring system) with the metrics-server (a lightweight, Kubernetes-native component for the Metrics API), assuming Prometheus is required for `kubectl top` or HPA when in fact the metrics-server is the dedicated and simpler solution.

How to eliminate wrong answers

Option A is wrong because Prometheus Server is a full monitoring and alerting system that scrapes metrics from various endpoints, but it is not the component responsible for aggregating metrics from nodes and exposing them to the Kubernetes Metrics API; it typically scrapes the metrics-server or kubelet directly. Option B is wrong because Grafana is a visualization and dashboarding tool that queries data sources like Prometheus or metrics-server, but it does not aggregate or expose metrics to the Metrics API. Option D is wrong because Fluentd is a log collector and forwarder used for log aggregation, not for collecting or exposing resource metrics to the Kubernetes Metrics API.

369
MCQeasy

An organization wants to adopt a cloud-native approach for its new application. Which characteristic is most important for the application to be considered cloud-native?

A.It stores all state in local files on the container filesystem.
B.It is designed to be resilient, scalable, and manageable in a dynamic environment.
C.It runs as a single monolithic process for simplicity.
D.It is deployed exclusively on on-premises infrastructure.
AnswerB

Resilience, scalability, and manageability are core cloud-native characteristics.

Why this answer

Option B is correct because cloud-native applications are fundamentally defined by their ability to operate in dynamic, distributed environments. They leverage principles like microservices, containerization, and orchestration (e.g., Kubernetes) to achieve resilience, scalability, and manageability. This characteristic is the core tenet of cloud-native architecture as defined by the CNCF, enabling the app to handle failures gracefully and scale on demand.

Exam trap

CNCF often tests the misconception that cloud-native simply means 'running in containers' or 'using Kubernetes,' but the defining characteristic is the architectural property of being resilient, scalable, and manageable in a dynamic environment, not the deployment technology itself.

How to eliminate wrong answers

Option A is wrong because storing state in local container filesystems violates the cloud-native principle of statelessness; containers are ephemeral, and local state is lost on restart, making the application non-resilient and unscalable. Option C is wrong because a monolithic process contradicts the cloud-native preference for microservices, which allow independent scaling, deployment, and fault isolation; monoliths become bottlenecks in dynamic environments. Option D is wrong because cloud-native applications are designed to be infrastructure-agnostic and typically run in multi-cloud or hybrid environments, not exclusively on-premises; being tied to on-premises infrastructure limits portability and cloud benefits.

370
MCQeasy

In GitOps with ArgoCD, what does 'self-healing' refer to?

A.Automatically scaling applications based on metrics
B.Automatically restarting failed pods
C.Automatically reverting manual changes to match the Git repository
D.Automatically updating the Git repository when changes are made in the cluster
AnswerC

Self-healing ensures the cluster state continuously matches the Git repository, undoing any drift.

Why this answer

Self-healing automatically reverts any manual changes made to the live cluster state back to the desired state defined in Git, ensuring configuration drift is corrected.

371
MCQhard

A pod has resource requests: cpu: 250m, memory: 512Mi and limits: cpu: 500m, memory: 1Gi. If the container tries to use 600m CPU and 700Mi memory, what will happen?

A.The container will be allowed to use the extra resources because limits are only soft constraints
B.The container will be throttled for CPU and may be terminated if it continues to exceed the limit
C.The container will be throttled for CPU, but will not be killed because memory is within limits
D.The container will be killed immediately because it exceeded its CPU limit
AnswerC

CPU above limit -> throttled; memory below limit -> no OOM kill.

Why this answer

If a container exceeds its CPU limit, it gets throttled (not killed). If it exceeds its memory limit, it is killed (OOMKilled). Here, CPU usage 600m exceeds limit 500m -> throttled; memory usage 700Mi is below limit 1Gi -> no OOM.

372
MCQhard

A pod is stuck in 'Pending' state. 'kubectl describe pod' shows '0/4 nodes are available: 4 Insufficient memory'. What is the most likely cause?

A.All nodes have taints that the pod cannot tolerate
B.The pod's liveness probe is failing
C.The container image is not found
D.The pod requires more memory than any node can allocate
AnswerD

The error indicates no node has enough available memory.

Why this answer

The scheduler cannot find a node with enough memory to satisfy the pod's resource requests.

373
MCQhard

A DevOps engineer wants to ensure that a critical application pod is rescheduled on a different node if its current node fails. The pod should be scheduled with a preference for nodes in a specific availability zone but can run elsewhere if needed. Which scheduling mechanism should be used?

A.Use a StatefulSet with podAntiAffinity.
B.Use a Deployment with a preferred nodeAffinity rule.
C.Run a static pod defined in the kubelet configuration.
D.Create a DaemonSet with a nodeSelector for the zone.
AnswerB

Correct; Deployment ensures rescheduling via ReplicaSet, nodeAffinity provides preference.

Why this answer

A Deployment with a preferred nodeAffinity rule is correct because it allows the pod to be rescheduled on a different node if the current node fails, while expressing a preference for nodes in a specific availability zone. The 'preferred' (soft) rule ensures scheduling flexibility—the pod can run elsewhere if no zone-matching nodes are available—which aligns with the requirement for high availability without strict zone constraints.

Exam trap

The trap here is that candidates confuse 'preferred' (soft) nodeAffinity with 'required' (hard) nodeAffinity, or mistakenly think DaemonSets or StatefulSets are needed for node failure recovery, when a simple Deployment with a soft scheduling preference is the correct mechanism for zone-aware rescheduling.

How to eliminate wrong answers

Option A is wrong because a StatefulSet with podAntiAffinity controls pod placement relative to other pods (e.g., spreading replicas across nodes), not rescheduling behavior after node failure, and does not express zone preference. Option C is wrong because a static pod is managed directly by the kubelet on a specific node and cannot be rescheduled to a different node if that node fails—it is tied to the node's lifecycle. Option D is wrong because a DaemonSet runs exactly one pod per node by default, which is not suitable for a single critical application pod, and nodeSelector enforces a hard constraint (not a preference) that would prevent scheduling if no zone-matching nodes exist.

374
Drag & Dropmedium

Drag and drop the steps to update a Kubernetes Secret and ensure Pods use the new value into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Update the Secret, verify, force Pod recreation if needed, wait for new Pods, and verify the new value.

375
MCQmedium

Which resource provides stable network endpoints to a set of pods, regardless of pod IP changes?

A.ConfigMap
B.Service
C.Deployment
D.Ingress
AnswerB

A Service abstracts pod IPs and provides a stable endpoint.

Why this answer

A Service provides a stable virtual IP and DNS name that routes traffic to pods matching its selector.

Page 4

Page 5 of 14

Page 6