Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 376450

997 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
Multi-Selecthard

Which THREE of the following are benefits of using an event-driven architecture? (Choose three.)

Select 3 answers
A.Simpler debugging and tracing
B.Better resilience through decoupled components
C.Improved scalability through asynchronous processing
D.Reduced need for monitoring
E.Loose coupling between services
AnswersB, C, E

Failure in one component does not directly affect others.

Why this answer

Event-driven architecture enables loose coupling, scalability, and asynchronous processing.

377
MCQhard

A pod is running but you need to view the contents of a file '/var/log/app.log' inside the container to debug an issue. Which kubectl command allows you to do this without modifying the pod?

A.kubectl logs pod-name -c container-name --tail=100
B.kubectl cp pod-name:/var/log/app.log -
C.kubectl exec pod-name -- cat /var/log/app.log
D.kubectl attach pod-name
AnswerC

Executes 'cat' inside the container to display the file.

Why this answer

Option C is correct because `kubectl exec pod-name -- cat /var/log/app.log` runs the `cat` command inside the container without modifying the pod or its state. This allows you to view the file contents directly from the container's filesystem, which is essential for debugging when the application logs are not written to stdout/stderr and thus not accessible via `kubectl logs`.

Exam trap

The trap here is that candidates often confuse `kubectl logs` with reading arbitrary files, assuming it can retrieve any log file, when in fact it only captures container stdout/stderr streams, while `kubectl exec` is the correct tool for accessing files inside a container.

How to eliminate wrong answers

Option A is wrong because `kubectl logs` only retrieves logs written to the container's stdout/stderr streams, not arbitrary files like `/var/log/app.log`. Option B is wrong because `kubectl cp` is used to copy files between a pod and the local machine, but the syntax shown (`kubectl cp pod-name:/var/log/app.log -`) is incomplete and would fail; the correct usage requires a local destination path, and even then it modifies the pod's filesystem only if copying into the pod, but here it attempts to copy out, which does not modify the pod but the command as given is invalid. Option D is wrong because `kubectl attach` attaches to the container's main process (usually PID 1) and streams its stdout/stderr, which does not allow you to read an arbitrary file and typically interferes with the running process.

378
MCQmedium

A Deployment named 'web' has 3 replicas. You run 'kubectl scale deployment web --replicas=5'. What will happen?

A.Two additional Pods are created to reach a total of 5 replicas.
B.An error occurs because scaling a Deployment is not allowed.
C.The Deployment is updated and all Pods are restarted.
D.The existing Pods are deleted and 5 new Pods are created.
AnswerA

Scaling increases the replica count from 3 to 5, creating 2 new Pods.

Why this answer

The scale command changes the desired number of replicas for the Deployment. The Deployment controller will then create 2 additional Pods to reach 5 replicas.

379
Multi-Selecthard

Which three components are part of the Kubernetes control plane? (Select THREE)

Select 3 answers
A.etcd
B.kube-apiserver
C.kube-proxy
D.kube-controller-manager
E.kubelet
AnswersA, B, D

etcd stores cluster state.

Why this answer

etcd is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data. It stores the entire cluster state, including configuration, secrets, and metadata, and is a core component of the control plane because the API server reads from and writes to it to maintain cluster integrity.

Exam trap

CNCF often tests the distinction between control plane and worker node components, and the trap here is that candidates confuse kube-proxy or kubelet as control plane components because they are essential to cluster operation, but they actually run on every node and are not part of the control plane.

380
MCQhard

A team uses Argo Rollouts for progressive delivery. They configure a canary rollout with a traffic split of 20% to the new version. After verification, the rollout automatically increases traffic to 100%. Which Argo Rollout manifest field controls this gradual traffic increase?

A.strategy.canary.trafficRouting
B.strategy.canary.steps
C.template.spec.containers
D.spec.replicas
AnswerB

Why this answer

The steps field in an Argo Rollout defines the sequence of canary steps, including traffic percentages. Option B (strategy.canary.steps) is correct. Option A (strategy.canary.trafficRouting) configures how traffic routing is done (e.g., with a service mesh).

Option C (spec.replicas) sets the total replicas. Option D (template.spec.containers) defines containers.

381
MCQeasy

Which Kubernetes control plane component is responsible for maintaining the desired state of the cluster, such as ensuring the correct number of pods are running?

A.kube-controller-manager
B.kube-apiserver
C.kube-scheduler
D.etcd
AnswerA

The controller manager runs controllers (e.g., replication controller) to ensure the current state matches the desired state.

Why this answer

The kube-controller-manager is the control plane component that runs controller processes, including the Replication Controller, which is responsible for ensuring that the desired number of pod replicas are running at all times. It continuously watches the state of the cluster via the kube-apiserver and makes adjustments to reconcile the current state with the desired state defined in the cluster's configuration.

Exam trap

CNCF often tests the distinction between the component that stores state (etcd) and the component that actively reconciles state (kube-controller-manager), leading candidates to mistakenly choose etcd because it holds the desired state data.

How to eliminate wrong answers

Option B is wrong because the kube-apiserver is the front-end for the Kubernetes control plane that exposes the Kubernetes API, handling authentication, authorization, and API requests, but it does not directly manage the desired state of pods or other resources. Option C is wrong because the kube-scheduler is responsible for assigning newly created pods to nodes based on resource availability and constraints, not for maintaining the desired number of running pods. Option D is wrong because etcd is a distributed key-value store that holds the cluster's configuration and state data, but it is a data store, not a controller that actively reconciles desired state.

382
MCQhard

An application requires a unique identifier per replica, stored in an environment variable. Which Kubernetes resource should be used to inject this identifier into each pod without manual updates?

A.Deployment with pod anti-affinity to schedule each pod on a different node.
B.StatefulSet with an environment variable derived from the pod name.
C.DaemonSet with a node name environment variable.
D.Job with a completion index environment variable.
AnswerB

StatefulSet pods have stable, unique names (e.g., myapp-0).

Why this answer

A StatefulSet provides stable, unique network identities and persistent storage per replica. The pod name (e.g., pod-0, pod-1) can be exposed via the Downward API or hostname. Option A is correct.

Option B is wrong because Deployments create identical pods without ordering. Option C is wrong because DaemonSets run one pod per node. Option D is wrong because Jobs are for batch processing.

383
MCQmedium

Which of the following is a key principle of the 12-factor app methodology?

A.Treat logs as event streams
B.Bind services at build time
C.Use local disk storage for persistence
D.Store configuration in the codebase
AnswerA

Logs should be emitted as event streams and not be concerned with routing or storage.

Why this answer

The 12-factor app includes the principle of treating logs as event streams, not as files.

384
MCQmedium

Which command would you run to get a list of all pods in all namespaces?

A.kubectl get pods --namespace=*
B.kubectl get pods --global
C.kubectl get pods --all-namespaces
D.kubectl get pods --include-uninitialized
AnswerC

This lists pods in all namespaces.

Why this answer

Option C is correct because `kubectl get pods --all-namespaces` (or its shorthand `-A`) retrieves pods from every namespace in the cluster. This flag overrides the default behavior of `kubectl get pods`, which only returns pods in the current namespace (usually `default`).

Exam trap

CNCF often tests the misconception that a wildcard or global flag exists for namespace selection, leading candidates to choose `--namespace=*` or `--global` instead of the correct `--all-namespaces` flag.

How to eliminate wrong answers

Option A is wrong because `--namespace=*` is not a valid kubectl syntax; the asterisk wildcard is not supported for namespace selection, and kubectl will return an error. Option B is wrong because `--global` is not a valid kubectl flag; it does not exist and would cause a parsing error. Option D is wrong because `--include-uninitialized` is a deprecated flag that was used in older Kubernetes versions to include pods that had not yet been fully initialized, but it does not affect namespace scope and is no longer supported in recent releases.

385
MCQeasy

Which DORA metric measures the percentage of deployments that cause a failure in production?

A.Deployment Frequency
B.Mean Time to Recovery (MTTR)
C.Change Failure Rate
D.Lead Time for Changes
AnswerC

This measures the percentage of changes that result in a failure in production.

Why this answer

Change Failure Rate is the percentage of changes that result in a failure (e.g., service degradation, rollback). It is one of the four key DORA metrics.

386
Multi-Selecthard

Which THREE of the following are key characteristics of microservices architecture?

Select 3 answers
A.Independent deployment of services
B.Decomposition by business capability
C.Single monolithic codebase
D.Shared database schema across services
E.Loose coupling between services
AnswersA, B, E

Each microservice can be deployed independently.

Why this answer

Microservices decompose applications into small, independent services that can be deployed separately and communicate via APIs.

387
MCQeasy

What is the primary purpose of the Kubernetes control plane component 'kube-apiserver'?

A.Run container runtime operations on nodes
B.Schedule pods onto nodes
C.Store cluster state and configuration
D.Expose the Kubernetes REST API and act as the entry point for all administrative tasks
AnswerD

The API server is the entry point for all REST commands used to control the cluster.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane. It exposes the Kubernetes API, which is used to interact with the cluster. All other components communicate through it.

388
MCQmedium

In a blue-green deployment strategy, at any given time, only one environment (blue or green) is active. What is the primary advantage of this approach?

A.Gradual traffic shifting to detect issues early
B.Instant rollback by switching traffic back to the previous environment
C.Minimal resource consumption by using only one environment
D.No need for load balancers or ingress controllers
AnswerB

Why this answer

Blue-green deployments allow instant rollback by switching traffic back to the previous environment. Option A is correct. Option B is a benefit of canary deployments.

Option C is a benefit of rolling updates. Option D is not a primary advantage.

389
MCQeasy

Which of the following is NOT one of the three pillars of observability in cloud-native environments?

A.Metrics
B.Traces
C.Security
D.Logs
AnswerC

Security is not one of the three pillars.

Why this answer

The three pillars are logs, metrics, and traces. Security is not one of them, though it is important.

390
MCQhard

You need to deploy an application that requires exactly one pod per cluster node for logging purposes. Which Kubernetes workload resource should you use?

A.DaemonSet
B.Job
C.StatefulSet
D.Deployment
AnswerA

DaemonSet runs a pod on each node.

Why this answer

A DaemonSet ensures that a copy of a pod runs on every node in the cluster, or on a subset of nodes if a node selector is used. This is the correct resource for deploying a logging agent that must be present on each node to collect logs from that node's containers and system components.

Exam trap

The trap here is that candidates often confuse DaemonSet with Deployment, assuming a Deployment with replicas equal to the node count will achieve the same effect, but Deployments do not guarantee one pod per node and can schedule multiple pods on the same node or leave nodes empty.

How to eliminate wrong answers

Option B (Job) is wrong because a Job creates one or more pods that run to completion and then stop, which is unsuitable for a continuously running logging daemon that must persist on every node. Option C (StatefulSet) is wrong because StatefulSet is designed for stateful applications that require stable, unique network identities and persistent storage, not for ensuring one pod per node. Option D (Deployment) is wrong because a Deployment manages replicas across the cluster without guaranteeing that a pod runs on every node; it uses a scheduler to distribute pods based on resource availability, not node coverage.

391
MCQmedium

You need to ensure that a set of pods in a Deployment can be reached by other pods using a stable IP address and DNS name. Which Kubernetes object should you use?

A.Service
B.NetworkPolicy
C.Ingress
D.ConfigMap
AnswerA

A Service provides a stable IP and DNS name for a set of pods.

Why this answer

A Service provides a stable endpoint for a set of pods, with DNS name resolution within the cluster.

392
MCQmedium

What is the role of etcd in a Kubernetes cluster?

A.It serves as the container runtime
B.It stores cluster state and configuration
C.It provides DNS-based service discovery
D.It schedules pods onto nodes
AnswerB

etcd is the cluster's backing store.

Why this answer

etcd is a distributed, consistent key-value store that serves as Kubernetes' primary datastore for all cluster state and configuration data. It stores objects like pods, services, deployments, secrets, and configmaps, and is the source of truth for the entire cluster. The Kubernetes API server is the only component that communicates directly with etcd, ensuring strong consistency via the Raft consensus protocol.

Exam trap

The trap here is that candidates often confuse etcd with the container runtime or the scheduler because all three are essential components, but only etcd is the persistent, consistent store for cluster state, not a runtime or decision-making component.

How to eliminate wrong answers

Option A is wrong because the container runtime (e.g., containerd, CRI-O, or Docker) is responsible for pulling images and running containers, not etcd. Option C is wrong because DNS-based service discovery in Kubernetes is provided by CoreDNS (or kube-dns), which resolves service names to cluster IPs, not by etcd. Option D is wrong because pod scheduling onto nodes is performed by the kube-scheduler, which reads node and pod data from etcd via the API server but does not directly interact with etcd.

393
Multi-Selectmedium

Which TWO components are part of the Kubernetes control plane?

Select 2 answers
A.kube-proxy
B.kubelet
C.etcd
D.kube-apiserver
E.container runtime
AnswersC, D

etcd is the control plane's key-value store.

Why this answer

The control plane consists of kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy are worker node components.

394
Multi-Selecthard

Which THREE of the following are valid apiVersions for Kubernetes resources?

Select 3 answers
A.batch/v1
B.v1
C.apps/v1
D.extensions/v1beta1
E.v1beta1
AnswersA, B, C

Correct apiVersion for Jobs and CronJobs.

Why this answer

apps/v1 is for Deployments, StatefulSets, etc. batch/v1 is for Jobs and CronJobs. networking.k8s.io/v1 is for NetworkPolicy and Ingress. v1 is the core API version for Pods, Services, etc.

395
MCQhard

Which of the following is a benefit of using an API gateway pattern?

A.It reduces the number of microservices needed
B.It replaces the need for a service mesh
C.It provides a single entry point for clients and handles cross-cutting concerns
D.It stores application state
AnswerC

API gateway centralizes routing, auth, rate limiting, etc.

Why this answer

API gateway can offload cross-cutting concerns like authentication from individual microservices.

396
Drag & Dropmedium

Drag and drop the steps for a rolling update of a Kubernetes Deployment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Change the image, apply, monitor rollout, verify health, and rollback if issues arise.

397
MCQmedium

You need to run a batch job that processes data and then exits. Which Kubernetes resource type is most appropriate for this workload?

A.Deployment
B.DaemonSet
C.Job
D.StatefulSet
AnswerC

Jobs are designed for finite tasks that run to completion.

Why this answer

Option D is correct. A Job is designed for running tasks that complete successfully and then terminate. A Deployment is for long-running services, a DaemonSet runs a pod on each node, and a StatefulSet is for stateful applications requiring stable identities.

398
MCQmedium

You run 'kubectl get pods' and see a Pod in the 'Pending' state. Which of the following is a likely cause?

A.No node meets the requested CPU or memory resources
B.The application crashed due to a bug
C.The container image is missing
D.The Pod has been deleted
AnswerA

Insufficient resources on any node can cause Pending state.

Why this answer

Pending often indicates that the scheduler cannot find a node that meets the Pod's resource requests or other constraints.

399
MCQhard

A cloud-native application uses a service mesh (Istio) for traffic management. The team notices increased latency in inter-service communication. Which likely cause should be investigated first?

A.Kubernetes Network Policies blocking traffic
B.Misconfigured sidecar proxy settings
C.Application code is not optimized for the mesh
D.mTLS encryption overhead
AnswerB

Can cause significant latency.

Why this answer

In Istio, the sidecar proxy (Envoy) intercepts all inbound and outbound traffic for the application container. Misconfigured proxy settings—such as incorrect timeouts, retry policies, or circuit breaker thresholds—can introduce significant latency by causing unnecessary retries, connection delays, or queueing. This is the most common and immediate cause of increased latency in a service mesh, as the data plane is directly in the request path.

Exam trap

CNCF often tests the misconception that mTLS encryption is a major source of latency, but in practice its overhead is negligible compared to misconfigured proxy settings that directly impact request handling.

How to eliminate wrong answers

Option A is wrong because Kubernetes Network Policies operate at the IP/port level and would block traffic entirely rather than cause increased latency; they do not introduce gradual performance degradation. Option C is wrong because application code optimization is a separate concern—the service mesh handles traffic management at the infrastructure layer, and unoptimized code would cause latency regardless of the mesh. Option D is wrong because mTLS encryption overhead in Istio is minimal (typically under 5% latency increase) and is a known, accepted cost of zero-trust security; it would not be the first suspect for a noticeable latency spike.

400
MCQmedium

What is the primary purpose of an API gateway in a microservices architecture?

A.To manage service-to-service communication within a cluster
B.To replace DNS for service discovery
C.To act as a single entry point for external clients
D.To directly connect databases to clients
AnswerC

Why this answer

An API gateway acts as a single entry point for clients, routing requests to appropriate microservices and providing cross-cutting concerns like authentication and rate limiting.

401
MCQmedium

What is the Open Container Initiative (OCI) responsible for?

A.Certifying Kubernetes administrators
B.Providing a hosted container registry
C.Defining standards for container images and runtimes
D.Managing the Kubernetes source code
AnswerC

OCI oversees the image spec and runtime spec.

Why this answer

The Open Container Initiative (OCI) is a Linux Foundation project that defines open industry standards for container formats and runtimes. Specifically, it maintains the OCI Image Specification (which standardizes the container image format, including layers and configuration) and the OCI Runtime Specification (which defines the lifecycle and interface for container runtimes like runc). This ensures interoperability between different container tools and platforms.

Exam trap

The trap here is that candidates confuse the OCI with the CNCF, assuming the OCI manages Kubernetes or its certification, when in fact the OCI focuses solely on container format and runtime standards, while the CNCF oversees Kubernetes and its ecosystem.

How to eliminate wrong answers

Option A is wrong because certifying Kubernetes administrators is the responsibility of the Cloud Native Computing Foundation (CNCF) through the Certified Kubernetes Administrator (CKA) program, not the OCI. Option B is wrong because providing a hosted container registry is a service offered by cloud providers (e.g., Docker Hub, Amazon ECR, Google Container Registry) or self-hosted solutions, not a function of the OCI. Option D is wrong because managing the Kubernetes source code is the role of the CNCF and the Kubernetes community via the Kubernetes GitHub repository; the OCI focuses on container standards, not Kubernetes-specific code.

402
Multi-Selectmedium

Which TWO of the following are benefits of using a Deployment over managing ReplicaSets directly? (Choose two.)

Select 2 answers
A.Support for stateful workloads
B.Declarative scaling
C.Direct access to pod IP addresses
D.Automatic rolling updates and rollbacks
E.Ability to run a pod on every node
AnswersB, D

Deployments allow you to declaratively set replica count.

Why this answer

Deployments provide rolling updates and rollback capabilities, and declarative updates. ReplicaSets do not support rolling updates natively.

403
MCQeasy

Which component of the Kubernetes control plane is responsible for storing the cluster state?

A.kube-scheduler
B.kube-controller-manager
C.etcd
D.kube-apiserver
AnswerC

etcd is the key-value store that stores all cluster data.

Why this answer

etcd is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data.

404
Multi-Selecthard

Which THREE of the following are important considerations when defining SLOs (Service Level Objectives)? (Select three.)

Select 3 answers
A.They should include an error budget
B.They must be aligned with business impact
C.They must be based on measurable SLIs
D.They define a target percentage over a time window
E.They should minimize infrastructure cost
AnswersB, C, D

SLOs should reflect what matters to users and business.

Why this answer

SLOs should be based on SLIs, define a target (e.g., 99.9%), and include a measurement window. Cost is not a direct consideration for SLO definition.

405
Multi-Selectmedium

Which TWO of the following are valid ways to expose a set of pods as a network service in Kubernetes? (Select two.)

Select 2 answers
A.Creating a Deployment with a label selector
B.Creating a PersistentVolumeClaim
C.Creating an Ingress resource
D.Assigning a public IP directly to a Pod
E.Creating a Service of type ClusterIP
AnswersC, E

Ingress exposes HTTP/HTTPS routes to services outside the cluster.

Why this answer

Service is the primary resource for exposing pods. Ingress can expose HTTP/HTTPS routes to services. Option C (Deployment) is not a networking resource; Option D (Pod) is not exposed directly; Option E (Volume) is for storage.

406
Multi-Selectmedium

Which TWO statements are true about cloud-native architecture?

Select 2 answers
A.Applications are typically monolithic for simplicity
B.Infrastructure is treated as immutable
C.Manual scaling is the default approach
D.Services can be scaled independently
E.Stateful components are preferred for performance
AnswersB, D

Immutable infrastructure provides consistency.

Why this answer

Option A is correct because microservices enable independent scaling. Option B is correct because immutable infrastructure ensures consistency. Option C is wrong because stateful components are not preferred.

Option D is wrong because manual scaling is not desired. Option E is wrong because monolithic is not cloud-native.

407
MCQhard

A user runs 'kubectl exec -it pod1 -- /bin/sh' and gets the error: 'error: unable to upgrade connection: container not found ("app")'. The pod has one container named 'app'. What is the most likely cause?

A.The pod is running on a different node
B.The container image does not have /bin/sh
C.The container name is misspelled
D.The pod is in a CrashLoopBackOff state
AnswerD

If the container is crashing repeatedly, it may not be running when exec attempts to connect, resulting in this error.

Why this answer

The pod is not running; kubectl exec requires the container to be running. The pod might be in a CrashLoopBackOff state or not yet started.

408
MCQeasy

What is the primary purpose of a liveness probe in a container?

A.To check resource usage like CPU and memory
B.To check if the container is still alive; restart if not
C.To check if the container is ready to serve traffic
D.To check if the pod is scheduled on the correct node
AnswerB

Correct. Liveness probes restart containers that become unresponsive.

Why this answer

Liveness probes determine if a container is running; if they fail, kubelet restarts the container.

409
Multi-Selectmedium

Which TWO statements correctly describe how Kubernetes handles self-healing? (Select two.)

Select 2 answers
A.If a node fails, the ReplicaSet controller automatically recreates the pods on healthy nodes
B.If a container in a pod crashes, the kubelet restarts it according to the pod's restart policy
C.Kubernetes automatically fixes application-level bugs by rolling back to a previous version
D.Kubernetes can automatically resolve OOMKilled errors by increasing memory limits
E.Kubernetes can automatically resolve OOMKilled errors by increasing memory limits
AnswersA, B

The ReplicaSet (or Deployment) controller detects that pods are no longer running and creates replacement pods on available nodes.

Why this answer

Option A is correct because the ReplicaSet controller monitors the cluster for node failures and, when a node becomes unhealthy, it creates replacement pods on other healthy nodes to maintain the desired replica count. This is a core self-healing mechanism in Kubernetes that operates at the controller level, independent of the kubelet.

Exam trap

CNCF often tests the distinction between automatic self-healing at the infrastructure level (node/pod restarts) versus manual or policy-driven recovery for application-level issues, leading candidates to incorrectly assume Kubernetes automatically fixes bugs or adjusts resource limits.

410
MCQmedium

What is the purpose of the Container Runtime Interface (CRI) in Kubernetes?

A.To allow kubelet to use different container runtimes without modifying its code
B.To replace Docker as the only supported runtime
C.To define the format of container images
D.To provide a standard API for managing containers across different orchestration platforms
AnswerA

CRI abstracts the container runtime so that kubelet can work with containerd, CRI-O, etc.

Why this answer

CRI is a plugin interface that allows kubelet to use a variety of container runtimes without needing to recompile kubelet. It standardizes how kubelet communicates with the runtime.

411
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Deployment
B.Container
C.Node
D.Pod
AnswerD

Pods are the smallest deployable units in Kubernetes.

Why this answer

A Pod is the smallest and simplest unit in the Kubernetes object model, representing a single instance of a running process.

412
MCQhard

A StatefulSet named 'web' with 3 replicas is deployed in the 'production' namespace. The first two pods are running, but the third pod 'web-2' is pending with the error shown. What is the most likely cause?

A.The StatefulSet requires a headless Service that does not exist
B.The pod anti-affinity rule prevents more than one pod per node, and there are only 3 nodes
C.The pod has a resource request that cannot be satisfied by any node
D.There are not enough nodes in the cluster to schedule the third pod
AnswerB

The scheduler cannot place web-2 because all nodes already have a pod from the same set.

Why this answer

The error indicates that the third pod 'web-2' is pending due to a scheduling conflict. Pod anti-affinity rules, when configured with a 'requiredDuringSchedulingIgnoredDuringExecution' policy, prevent more than one pod from the same StatefulSet from being scheduled on the same node. With only 3 nodes available and the first two pods already occupying distinct nodes, the third pod cannot be placed, causing it to remain pending.

Exam trap

Cisco often tests the distinction between resource constraints and scheduling constraints (like anti-affinity), leading candidates to mistakenly choose 'not enough nodes' when the real issue is a rule that prevents using all available nodes.

How to eliminate wrong answers

Option A is wrong because a headless Service is required for stable network identities in a StatefulSet, but its absence would cause DNS resolution failures, not a scheduling/pending error. Option C is wrong because resource requests that cannot be satisfied would produce an 'Insufficient cpu' or 'Insufficient memory' event, not a generic pending error tied to node count. Option D is wrong because the cluster has exactly 3 nodes, which matches the replica count; the issue is not the number of nodes but the anti-affinity rule preventing co-location on the same node.

413
MCQmedium

You need to run a batch job that processes a queue and then terminates. Which Kubernetes resource is most appropriate?

A.StatefulSet
B.Job
C.Deployment
D.DaemonSet
AnswerB

Jobs run Pods that perform a task and then terminate.

Why this answer

A Job is the correct resource because it is designed to run a specified number of pods to completion and then terminate, making it ideal for batch processing tasks like processing a queue. Unlike controllers that maintain a desired state indefinitely, a Job ensures the pod runs successfully to completion, even if the pod fails and needs to be restarted, and then stops.

Exam trap

CNCF often tests the distinction between controllers that maintain a desired state (Deployment, StatefulSet, DaemonSet) versus controllers that run to completion (Job), and the trap here is assuming that any workload that processes data must use a Deployment because it's the most common controller.

How to eliminate wrong answers

Option A is wrong because a StatefulSet is used for stateful applications that require stable, unique network identifiers and persistent storage, not for batch jobs that terminate. Option C is wrong because a Deployment is designed to maintain a desired number of replica pods running continuously, not to run a task to completion and then stop. Option D is wrong because a DaemonSet ensures that a copy of a pod runs on every node (or a subset of nodes) in the cluster, typically for cluster-level services like logging or monitoring, not for one-off batch processing.

414
MCQeasy

A DevOps engineer needs to expose a set of pods running an HTTP API to external clients. The pods are stateless and should be load-balanced. Which Kubernetes resource should they use?

A.StatefulSet with a headless Service
B.Ingress resource without a Service
C.Service of type ClusterIP
D.Service of type LoadBalancer
AnswerD

LoadBalancer exposes the service externally and provides load balancing.

Why this answer

A Service of type LoadBalancer is the correct choice because it provisions an external load balancer (e.g., an AWS ELB or Azure LB) that distributes incoming traffic across the pods, exposing the stateless HTTP API to external clients. This resource automatically assigns a public IP and handles load balancing without requiring manual proxy configuration, making it ideal for external access to stateless workloads.

Exam trap

The trap here is that candidates often confuse 'exposing to external clients' with internal-only services, leading them to pick ClusterIP (C) or assume Ingress (B) can work without a Service, while the question explicitly requires load balancing for stateless pods, making LoadBalancer the direct and correct answer.

How to eliminate wrong answers

Option A is wrong because a StatefulSet is designed for stateful applications (e.g., databases) that require stable network identities and persistent storage, not for stateless HTTP APIs, and a headless Service does not provide load balancing or external exposure. Option B is wrong because an Ingress resource cannot function without a backing Service; it requires a Service (typically of type NodePort or LoadBalancer) to route traffic to pods, and it does not itself expose pods directly. Option C is wrong because a Service of type ClusterIP is only reachable within the cluster's internal network (e.g., via cluster IP 10.0.0.1) and cannot be accessed by external clients without additional components like a proxy or Ingress.

415
MCQeasy

Which component of Kubernetes is responsible for maintaining the desired state of the cluster?

A.kube-scheduler
B.kube-controller-manager
C.kubelet
D.kube-apiserver
AnswerB

Correct. It runs controllers that reconcile desired state.

Why this answer

The kube-controller-manager is the component that runs controller processes, which are responsible for regulating the state of the cluster. It continuously watches the current state via the kube-apiserver and takes corrective actions to match the desired state defined in the cluster's control loop, such as ensuring the correct number of pods are running.

Exam trap

CNCF often tests the misconception that the kube-scheduler maintains desired state because it 'schedules' pods, but scheduling is only one part of the control loop; the actual state reconciliation is done by the controller-manager.

How to eliminate wrong answers

Option A is wrong because the kube-scheduler is responsible for assigning pods to nodes based on resource availability and constraints, not for maintaining the desired state. Option C is wrong because the kubelet is an agent that runs on each node and ensures containers are running in a pod, but it does not maintain the cluster-wide desired state. Option D is wrong because the kube-apiserver serves as the front-end for the Kubernetes control plane, handling API requests and storing state in etcd, but it does not actively enforce or reconcile the desired state.

416
MCQeasy

Which of the following best describes a key advantage of containers over virtual machines?

A.Containers share the host OS kernel, resulting in lower resource overhead compared to VMs
B.Containers take longer to start than VMs because they need to initialize a kernel
C.Containers consume more disk space than VMs because they include a full operating system
D.Containers have stronger isolation than VMs because each container runs its own kernel
AnswerA

Containers share the host kernel, eliminating the need for a guest OS per instance, which reduces resource consumption and improves density.

Why this answer

Option A is correct. Containers share the host OS kernel, making them more lightweight than VMs, which each include a full guest OS. Option B is false — containers share the host kernel.

Option C is false — resource usage is lower for containers. Option D is false — VMs typically take longer to start.

417
MCQmedium

A DevOps engineer wants to update a Deployment's container image from 'v1' to 'v2' with zero downtime. Which kubectl command should they use?

A.kubectl rollout restart deployment/<name>
B.kubectl patch deployment <name> -p '{"spec":{"template":{"spec":{"containers":[{"name":"<container>","image":"<image>:v2"}]}}}}'
C.kubectl set image deployment/<name> <container>=<image>:v2
D.kubectl edit deployment <name>
AnswerC

This command triggers a rolling update, which by default updates pods gradually with zero downtime.

Why this answer

Option C is correct because `kubectl set image` directly updates the container image in a Deployment's pod template, triggering a rolling update that replaces pods incrementally with zero downtime. Kubernetes Deployments manage ReplicaSets to ensure availability during the update, making this the simplest and most reliable command for a controlled image change.

Exam trap

The trap here is that candidates may confuse `kubectl rollout restart` (which only restarts pods with the same image) with `kubectl set image` (which actually changes the image), or assume that any command modifying the Deployment (like patch or edit) inherently provides zero downtime without considering the rolling update mechanism.

How to eliminate wrong answers

Option A is wrong because `kubectl rollout restart` triggers a restart of all pods with the existing image, not an image update; it does not change the container image from 'v1' to 'v2'. Option B is wrong because while a patch can update the image, it requires manually specifying the full container name and image string, which is error-prone and less concise than `kubectl set image`; it also does not inherently enforce a rolling update strategy if the Deployment's update strategy is misconfigured. Option D is wrong because `kubectl edit` opens an interactive editor, which is not suitable for automation or scripting and introduces risk of human error; it does not guarantee zero downtime if the user accidentally changes other fields.

418
MCQeasy

Which of the following is a container runtime that implements the Container Runtime Interface (CRI)?

A.containerd
B.Docker
C.runc
D.kubelet
AnswerA

containerd is a high-level container runtime that implements the CRI and is used by Kubernetes.

Why this answer

containerd is a high-level container runtime that directly implements the Container Runtime Interface (CRI) by exposing a gRPC API that kubelet can call to manage pods and containers. It was originally extracted from Docker and is now the default runtime in many Kubernetes distributions, providing image transfer, container lifecycle management, and storage/network attachment without requiring Docker as an intermediary.

Exam trap

CNCF often tests the misconception that Docker is a CRI-compliant runtime, when in fact Docker uses a separate adapter (dockershim) that was removed in Kubernetes v1.24, making containerd the standard CRI implementation.

How to eliminate wrong answers

Option B (Docker) is wrong because Docker does not implement the CRI natively; instead, Kubernetes uses the dockershim (deprecated since v1.24) as a CRI adapter to translate CRI calls into Docker API calls, meaning Docker is not a CRI-compliant runtime itself. Option C (runc) is wrong because runc is a low-level OCI runtime that only creates and runs containers according to the OCI spec; it does not implement the CRI gRPC interface or handle higher-level tasks like image management or pod sandbox creation. Option D (kubelet) is wrong because kubelet is the Kubernetes node agent that acts as a CRI client, not a CRI implementation; it calls the CRI API on a container runtime (like containerd) to manage containers.

419
MCQhard

A pod remains in 'Pending' state. Upon inspecting the pod with 'kubectl describe pod', you see the message '0/1 nodes are available: 1 node(s) had taint {node.kubernetes.io/disk-pressure: }, that the pod didn't tolerate'. What is the most likely cause?

A.The pod is not using a ServiceAccount
B.The node has a disk pressure condition and the pod lacks a toleration
C.The pod's resource requests exceed the node's capacity
D.The pod's container image does not exist
AnswerB

The taint 'node.kubernetes.io/disk-pressure' indicates disk pressure on the node. Pods without a toleration for this taint cannot be scheduled.

Why this answer

The taint indicates a node has disk pressure, and the pod does not have a toleration for it, so it cannot be scheduled on that node.

420
MCQeasy

Which CNCF project is primarily focused on providing a unified way to define and manage cloud-native applications using declarative configuration stored in Git?

A.Helm
B.ArgoCD
C.Prometheus
D.Envoy
AnswerB

ArgoCD is a declarative GitOps CD tool for Kubernetes that synchronizes application state with Git repositories.

Why this answer

GitOps uses Git as the single source of truth for declarative infrastructure and application configuration. ArgoCD is a CNCF graduated project that implements GitOps for Kubernetes. Flux is also a GitOps tool but ArgoCD is more widely recognized as the primary GitOps project.

421
MCQmedium

In GitOps with ArgoCD, what happens when the desired state in Git differs from the live state in the cluster?

A.ArgoCD reports an error and stops working
B.ArgoCD syncs the cluster to match Git if auto-sync is enabled
C.ArgoCD deletes the Git repository
D.ArgoCD automatically reverts the changes in Git
AnswerB

Auto-sync ensures cluster state matches Git.

Why this answer

ArgoCD detects drift and can automatically sync the cluster to match Git, enabling self-healing.

422
MCQmedium

A team observes that a Pod is stuck in CrashLoopBackOff. The Pod runs a single container with an entrypoint that exits with non-zero code after a few seconds. The team wants to inspect the container's logs to understand why it is crashing. Which command should they use?

A.kubectl get pods
B.kubectl logs <pod-name> --previous
C.kubectl describe pod <pod-name>
D.kubectl exec -it <pod-name> -- sh
AnswerB

Shows logs from the previous container instance, useful for crash logs.

Why this answer

The `kubectl logs <pod-name> --previous` command retrieves the logs from the previous instance of a crashed container. Since the Pod is in CrashLoopBackOff, the current container has already exited, and the `--previous` flag accesses the logs of the last terminated container, which contains the crash output (e.g., the non-zero exit code and error messages). This is the direct way to see why the entrypoint failed.

Exam trap

CNCF often tests the distinction between `kubectl logs` (which shows container output) and `kubectl describe pod` (which shows events and status), leading candidates to choose describe when they need actual log content.

How to eliminate wrong answers

Option A is wrong because `kubectl get pods` only lists the Pods and their statuses (e.g., CrashLoopBackOff), but does not provide any logs or crash details. Option C is wrong because `kubectl describe pod <pod-name>` shows the Pod's metadata, events, and container status (including restart count and last exit code), but it does not show the container's stdout/stderr logs, which are needed to understand the crash reason. Option D is wrong because `kubectl exec -it <pod-name> -- sh` attempts to open a shell in a running container, but the container is crashing and not running, so the exec command will fail with an error like 'cannot exec into a container in a crashed state'.

423
MCQmedium

In the context of distributed tracing, what is a 'span'?

A.A metric that measures request latency
B.A tool for collecting logs from containers
C.The entire end-to-end transaction across services
D.A single logical operation within a service, with a start and end time
AnswerD

Correct. A span represents one operation, such as a database call or an HTTP request handler.

Why this answer

A span is the fundamental building block of a trace, representing a single unit of work in a distributed system.

424
MCQhard

An application requires that configuration data be mounted as a file inside the container. The data may change at runtime, and the application should automatically read the updated values without restarting. Which approach should be used?

A.Store the configuration in a Secret and mount it using subPath
B.Use a ConfigMap mounted as a volume without subPath
C.Use a PersistentVolumeClaim to store the configuration
D.Store the configuration in an environment variable from a ConfigMap
AnswerB

When mounted as a volume without subPath, the files are updated via symlinks, and the application can read the new content if it watches for changes.

Why this answer

When a ConfigMap is mounted as a volume with `subPath`, updates are not reflected automatically. Using a projected volume or a Symlink-based update (e.g., mounting the ConfigMap directly without subPath) allows automatic updates. The simplest way is to mount the ConfigMap as a volume without subPath, so updates are eventually reflected.

425
MCQeasy

Which Kubernetes component is responsible for maintaining the desired state of the cluster by running controllers?

A.kube-apiserver
B.kube-scheduler
C.kube-controller-manager
D.etcd
AnswerC

Correct. It runs controller processes like node controller, replication controller, etc.

Why this answer

The kube-controller-manager is the component that runs controller processes, which are control loops that watch the shared state of the cluster through the kube-apiserver and make changes to drive the current state toward the desired state. It bundles together controllers such as the Node Controller, Replication Controller, and Endpoint Controller, each responsible for specific aspects of cluster state management.

Exam trap

CNCF often tests the misconception that the kube-apiserver is responsible for maintaining desired state because it is the central API gateway, but the actual enforcement is done by controllers within the kube-controller-manager.

How to eliminate wrong answers

Option A is wrong because kube-apiserver is the front-end for the Kubernetes control plane that exposes the Kubernetes API, handling authentication, authorization, and validation of API requests, but it does not run controllers to maintain desired state. Option B is wrong because kube-scheduler is responsible for assigning newly created pods to nodes based on resource requirements and constraints, not for running controllers that maintain cluster state. Option D is wrong because etcd is a distributed key-value store that serves as Kubernetes' backing store for all cluster data, but it does not execute controller logic or enforce desired state.

426
Multi-Selecteasy

Which TWO components are part of the Kubernetes worker node?

Select 2 answers
A.kube-apiserver
B.etcd
C.kube-scheduler
D.kube-proxy
E.kubelet
AnswersD, E

kube-proxy runs on each worker node to handle networking.

Why this answer

Worker nodes run kubelet, kube-proxy, and a container runtime. The API server and scheduler run on the control plane.

427
MCQhard

A microservices application has multiple services that need to discover each other by name. Which Kubernetes object provides built-in service discovery via DNS?

A.Ingress
B.Namespace
C.ConfigMap
D.Service
AnswerD

Services are assigned DNS names (e.g., my-svc.namespace.svc.cluster.local).

Why this answer

Services in Kubernetes are assigned DNS names, allowing pods to resolve service names to cluster IPs.

428
MCQmedium

Which command would you use to view the logs of a specific container in a multi-container pod?

A.kubectl logs mycontainer -p mypod
B.kubectl logs mypod --container mycontainer
C.kubectl logs mypod -c mycontainer
D.kubectl logs mypod mycontainer
AnswerC

Correct: -c specifies the container name.

Why this answer

The -c flag specifies the container name within the pod.

429
MCQeasy

What is the primary purpose of a container registry in a CI/CD pipeline?

A.To store source code
B.To store and distribute container images
C.To manage Kubernetes secrets
D.To run unit tests
AnswerB

Container registries are designed to store and distribute container images, enabling deployment in Kubernetes.

Why this answer

A container registry stores built container images and provides a mechanism to push and pull images. It is a central component in the CI/CD workflow for image distribution.

430
Matchingmedium

Match each Kubernetes security concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identity for processes running in a pod

Role-based access control to authorize API requests

Specifies how groups of pods are allowed to communicate

Deprecated but formerly controlled security-sensitive pod settings

Stores sensitive data like passwords and tokens

Why these pairings

These are key security mechanisms in Kubernetes.

431
Multi-Selecthard

Which TWO practices are recommended for designing cloud-native microservices? (Choose 2)

Select 2 answers
A.Share a common database schema across all services.
B.Store configuration in environment variables inside the container image.
C.Implement health check endpoints for each service.
D.Use synchronous HTTP calls for all inter-service communication.
E.Design services around business capabilities.
AnswersC, E

Health checks enable orchestration platforms to manage service lifecycle.

Why this answer

Option C is correct because health check endpoints (e.g., /healthz or /ready) are a fundamental pattern in cloud-native microservices. They allow orchestration platforms like Kubernetes to perform liveness and readiness probes, ensuring that traffic is only routed to healthy instances and that unhealthy pods are automatically restarted. This aligns with the cloud-native principle of designing for resilience and self-healing.

Exam trap

The trap here is that candidates often confuse 'configuration in environment variables' (which is acceptable when injected at runtime) with 'storing configuration inside the container image' (which is an anti-pattern), leading them to incorrectly select Option B.

432
Multi-Selecthard

Which THREE of the following are valid container runtimes that can be used with Kubernetes via the Container Runtime Interface (CRI)? (Select three.)

Select 3 answers
A.rkt
B.containerd
C.Kata Containers
D.Docker
E.CRI-O
AnswersB, C, E

containerd is a CRI-compliant runtime and is widely used in Kubernetes.

Why this answer

containerd and CRI-O are both lightweight container runtimes designed for Kubernetes and implement the CRI. Kata Containers provides hardware virtualization isolation and also implements CRI. Docker is not a CRI-compliant runtime; it uses dockershim (deprecated and removed). rkt was an alternative but is not widely used and does not implement CRI directly.

433
MCQeasy

What is the smallest deployable unit in Kubernetes that can be created and managed?

A.Deployment
B.Service
C.Container
D.Pod
AnswerD

A Pod encapsulates one or more containers, storage, and network.

Why this answer

A Pod is the smallest and simplest Kubernetes object, representing a single instance of a running process in the cluster.

434
MCQeasy

Which command creates a Deployment named 'nginx' from the 'nginx:1.19' image?

A.kubectl run nginx --image=nginx:1.19
B.kubectl create deployment nginx --image=nginx:1.19
C.kubectl start deployment nginx --image=nginx:1.19
D.kubectl apply -f nginx-deployment.yaml
AnswerB

This creates a Deployment named nginx with the specified image.

Why this answer

Option B is correct because the `kubectl create deployment` command is the standard Kubernetes imperative method to create a Deployment resource, and specifying `--image=nginx:1.19` directly sets the container image for the pod template. This command generates a Deployment object that manages a ReplicaSet with the specified image, ensuring declarative updates and rollback capabilities.

Exam trap

The trap here is that candidates confuse `kubectl run` (which creates a Pod, not a Deployment) with `kubectl create deployment`, especially since older versions of `kubectl run` could create Deployments, but the current behavior defaults to Pod creation unless the `--generator` flag is used.

How to eliminate wrong answers

Option A is wrong because `kubectl run` creates a standalone Pod (or in newer versions a Deployment with `--generator=deployment/v1beta1` deprecated), not a Deployment resource; it does not provide the same lifecycle management, scaling, or rolling update features as a Deployment. Option C is wrong because `kubectl start deployment` is not a valid kubectl command; the correct imperative verb is `create`, not `start`. Option D is wrong because while `kubectl apply -f nginx-deployment.yaml` can create a Deployment, it requires a pre-existing YAML manifest file, not a direct image specification, and the question asks for the command that creates a Deployment from the image directly.

435
MCQeasy

Which resource in Kubernetes is used to expose a set of pods as a network service?

A.Pod
B.Deployment
C.Service
D.Ingress
AnswerC

Provides stable IP and DNS name for pods.

Why this answer

Option C is correct because a Service in Kubernetes provides a stable network endpoint (IP address and DNS name) to expose a set of pods, which are ephemeral and can be replaced. Services use selectors to identify target pods and load-balance traffic across them, enabling reliable communication within or outside the cluster.

Exam trap

CNCF often tests the misconception that a Deployment can expose pods as a network service, but a Deployment only manages pod lifecycle and replicas, not network exposure.

How to eliminate wrong answers

Option A is wrong because a Pod is the smallest deployable unit in Kubernetes and has its own IP address, but it is ephemeral and cannot provide a stable network endpoint for a set of pods. Option B is wrong because a Deployment manages the desired state of replica sets and pods, but it does not expose them as a network service; it is a controller, not a networking abstraction. Option D is wrong because an Ingress is a higher-level resource that provides HTTP/HTTPS routing rules to Services, but it does not directly expose pods as a network service; it relies on a Service to do so.

436
MCQmedium

You want to isolate a team's workloads within a Kubernetes cluster so that they cannot see or access resources from other teams. Which feature should you use?

A.Annotations
B.Labels and selectors
C.Resource quotas
D.Namespaces
AnswerD

Namespaces create isolated scopes for resources.

Why this answer

Namespaces provide logical isolation and are commonly used to separate teams or environments. Combined with RBAC and NetworkPolicies, they enable multi-tenancy.

437
MCQhard

Refer to the exhibit. The deployment myapp is updated from image myapp:1.0 to myapp:2.0. During the rollout, what is the maximum number of pods that will be unavailable at any given time?

A.2
B.0
C.3
D.1
AnswerB

maxUnavailable: 0 ensures at least 3 pods are always available.

Why this answer

Option B is correct because the deployment strategy defaults to RollingUpdate with a maxUnavailable setting of 25% (rounded up), which for a deployment with 4 replicas allows 1 pod to be unavailable. However, the question states that during the rollout the maximum number of pods that will be unavailable at any given time is 0, which implies the deployment uses a maxSurge and maxUnavailable configuration that ensures no pods are taken down until new ones are ready—this is achieved by setting maxUnavailable to 0 and maxSurge to 1 or more, so the deployment creates a new pod before terminating an old one, guaranteeing zero downtime.

Exam trap

CNCF often tests the default rolling update behavior (maxUnavailable=25%) to trick candidates into calculating a nonzero value, but the trap here is that the question explicitly describes a scenario where no pods are unavailable, which requires recognizing that maxUnavailable can be set to 0 to achieve zero-downtime updates.

How to eliminate wrong answers

Option A (2) is wrong because it assumes a maxUnavailable of 50% or a reckless scaling behavior that would allow two pods to be down simultaneously, which contradicts the zero-downtime requirement implied by the correct answer. Option C (3) is wrong because it suggests a majority of pods could be unavailable, which would violate the deployment's desired state and is not allowed by any standard rolling update configuration. Option D (1) is wrong because while a default rolling update with 4 replicas would allow 1 unavailable pod (25% rounded up), the question's context indicates that the deployment is configured to maintain full availability, so even 1 unavailable pod is not permitted.

438
MCQhard

In a serverless architecture using Knative, what happens when a function finishes processing an event and there are no pending events?

A.The function instance is automatically scaled down to zero replicas
B.The function instance is terminated and the container image is deleted
C.The function continues to run but stops listening for events
D.The function instance remains running for a configurable idle timeout
AnswerA

Knative supports auto-scaling to zero when there are no incoming requests.

Why this answer

Knative scales the function to zero replicas when idle, which is a key feature of serverless platforms.

439
Multi-Selectmedium

Which two of the following are valid ways to set resource constraints on a container in a Pod spec?

Select 2 answers
A.Specify 'resources.guarantees.cpu' for CPU guarantees
B.Specify 'resources.limits.memory' for maximum memory
C.Specify 'resources.min.memory' for minimum memory
D.Specify 'resources.requests.cpu' for minimum CPU
E.Specify 'resources.max.cpu' for CPU limits
AnswersB, D

Limits cap resource usage.

Why this answer

Option B is correct because 'resources.limits.memory' is the valid Kubernetes field to set the maximum amount of memory a container can use. When a container exceeds this limit, it may be terminated or OOM-killed by the kubelet. This is a core concept in Kubernetes resource management for ensuring predictable application behavior.

Exam trap

The trap here is that candidates confuse the naming convention of Kubernetes resource fields (e.g., 'limits' vs 'max', 'requests' vs 'min' or 'guarantees'), leading them to choose plausible-sounding but non-existent keys like 'resources.max.cpu' or 'resources.guarantees.cpu'.

440
MCQmedium

Which GitOps tool uses a pull-based approach to synchronize the desired state in a Git repository with the actual state in a Kubernetes cluster?

A.Flux
B.Terraform
C.Helm
D.ArgoCD
AnswerD

ArgoCD is a declarative, pull-based GitOps operator for Kubernetes.

Why this answer

ArgoCD is a popular GitOps tool that continuously monitors a Git repository and reconciles the cluster state with the desired state defined in the repo.

441
MCQmedium

A company wants to migrate its monolithic application to a cloud-native architecture on Kubernetes. The application currently uses a shared database and communicates via internal HTTP calls. Which design pattern should be applied first to increase resilience and enable independent scaling of components?

A.Adopt CQRS pattern to separate reads and writes
B.Use the strangler fig pattern to gradually replace monolith functionality
C.Implement database-per-service pattern
D.Deploy a sidecar container for each service
AnswerB

Allows incremental migration with minimal risk.

Why this answer

The strangler fig pattern is the correct first step because it allows the team to incrementally replace specific functionalities of the monolithic application with microservices without disrupting the existing system. This pattern routes requests to either the old monolith or new services, enabling gradual migration, independent scaling of extracted components, and improved resilience by isolating failures. It directly addresses the need to move from a shared-database, HTTP-calling monolith to a cloud-native architecture on Kubernetes.

Exam trap

CNCF often tests the misconception that you should immediately apply a database-per-service or CQRS pattern when migrating, but the strangler fig pattern is the foundational first step to safely decompose a monolith without a big-bang rewrite.

How to eliminate wrong answers

Option A is wrong because CQRS (Command Query Responsibility Segregation) is a pattern for separating read and write operations, typically used with event sourcing or complex query models; it does not address the gradual decomposition of a monolith or enable independent scaling of components during migration. Option C is wrong because implementing a database-per-service pattern prematurely would require breaking the shared database into multiple databases, which is a high-risk, all-at-once change that contradicts the gradual migration goal and can cause data consistency issues without first establishing service boundaries. Option D is wrong because deploying a sidecar container for each service is a deployment pattern for adding auxiliary functionality (e.g., logging, proxies) to a pod, but it does not help in decomposing the monolith or enabling independent scaling of components; it is an operational pattern applied after services are defined.

442
MCQmedium

Which Kubernetes object is used to store non-confidential configuration data that can be consumed by pods?

A.ServiceAccount
B.Secret
C.ConfigMap
D.PersistentVolume
AnswerC

ConfigMaps store non-sensitive configuration data.

Why this answer

ConfigMap is the correct Kubernetes object for storing non-confidential configuration data, such as environment variables, command-line arguments, or configuration files, that can be consumed by pods. Unlike Secrets, ConfigMaps store data in plain text and are designed for configuration that does not require encryption, making them ideal for application settings that are not sensitive.

Exam trap

CNCF often tests the distinction between ConfigMaps and Secrets, where candidates mistakenly choose Secrets for all configuration data, forgetting that Secrets are intended only for sensitive information and ConfigMaps are the correct choice for non-confidential data.

How to eliminate wrong answers

Option A is wrong because a ServiceAccount is an identity object used to control pod-level authentication to the Kubernetes API server, not for storing configuration data. Option B is wrong because a Secret is specifically designed for storing sensitive data (e.g., passwords, tokens, SSH keys) and is base64-encoded, not for non-confidential configuration. Option D is wrong because a PersistentVolume is a storage resource abstraction that provides persistent storage to pods, not a mechanism for injecting configuration data.

443
MCQmedium

Which component is responsible for running containers in a Kubernetes node and implements the Container Runtime Interface (CRI)?

A.kubelet
B.etcd
C.kube-proxy
D.containerd
AnswerD

containerd is a CRI-compliant container runtime that runs and manages containers.

Why this answer

containerd is the correct answer because it is the container runtime that directly manages container lifecycle operations (create, start, stop, delete) on a Kubernetes node and implements the Container Runtime Interface (CRI), which is the gRPC-based protocol that kubelet uses to interact with container runtimes. Kubernetes requires a CRI-compliant runtime, and containerd is a graduated CNCF project that fulfills this role by exposing the CRI API via its `cri` plugin.

Exam trap

CNCF often tests the misconception that kubelet directly runs containers, but in reality kubelet is only the orchestrator agent that delegates to a CRI-compliant runtime like containerd, making containerd the correct answer.

How to eliminate wrong answers

Option A (kubelet) is wrong because kubelet is the node agent that communicates with the control plane and manages pods, but it does not run containers directly—it delegates container operations to a CRI-compliant runtime like containerd. Option B (etcd) is wrong because etcd is a distributed key-value store used for cluster state persistence, not for running containers or implementing CRI. Option C (kube-proxy) is wrong because kube-proxy is a network proxy that handles service routing and load balancing using iptables or IPVS, and it has no role in container runtime operations or the CRI.

444
MCQeasy

Which Kubernetes resource provides a stable IP address and DNS name to access a set of pods?

A.Ingress
B.EndpointSlice
C.Service
D.NetworkPolicy
AnswerC

A Service provides a stable IP and DNS name to reach a group of pods.

Why this answer

Option C is correct because a Kubernetes Service provides a stable virtual IP address and a DNS name (e.g., my-svc.namespace.svc.cluster.local) that remains constant even as the underlying pods are created, destroyed, or scaled. This abstraction allows clients to reliably reach a set of pods without needing to track individual pod IPs, which are ephemeral. Services use label selectors to dynamically route traffic to matching pods, ensuring high availability and load balancing.

Exam trap

The trap here is that candidates often confuse Ingress (which provides external access) with the internal stable IP/DNS abstraction provided by a Service, or they mistakenly think EndpointSlice (a newer, more scalable replacement for Endpoints) is the resource that offers a stable network identity.

How to eliminate wrong answers

Option A is wrong because Ingress is not a stable IP/DNS resource for pods; it is an API object that manages external HTTP/HTTPS access to Services, typically providing host-based or path-based routing and TLS termination, but it does not itself assign a stable IP or DNS name to a set of pods. Option B is wrong because EndpointSlice is not a stable IP/DNS resource; it is a lower-level object that tracks the actual IP addresses and ports of pods matching a Service's selector, used for scalability and efficiency, but it does not provide a stable endpoint for clients. Option D is wrong because NetworkPolicy is a security resource that controls traffic flow at the IP address or port level (OSI layer 3 or 4) using pod selectors and namespace selectors; it does not provide any IP address or DNS name for accessing pods.

445
MCQeasy

What is the primary purpose of structured logging?

A.To replace metrics and traces
B.To reduce the size of log files
C.To make logs human-readable only
D.To enable automated analysis and querying of logs
AnswerD

Structured logs allow tools like Loki or Elasticsearch to index and search log fields efficiently.

Why this answer

Structured logging formats log data in a consistent, machine-parseable format (e.g., JSON) with key-value pairs. This enables automated tools like Elasticsearch, Loki, or Splunk to efficiently index, search, filter, and aggregate logs, which is essential for observability at scale. The primary purpose is to facilitate automated analysis and querying, not to replace other telemetry signals or to focus on human readability alone.

Exam trap

The trap here is that candidates confuse 'structured logging' with 'log formatting for readability' (Option C), but the KCNA exam emphasizes that structured logging is fundamentally about enabling automated processing and correlation, not just making logs easier for humans to read.

How to eliminate wrong answers

Option A is wrong because structured logging does not replace metrics and traces; it complements them as part of the three pillars of observability (logs, metrics, traces), each serving a distinct purpose. Option B is wrong because structured logging often increases log file size due to added metadata (e.g., JSON keys), not reduces it; compression or sampling is used for size reduction. Option C is wrong because while structured logs can be formatted for readability, their core design is for machine parsing, not human readability; unstructured plain-text logs are typically more human-readable.

446
MCQhard

You run 'kubectl get pods' and see that a pod named 'web-frontend' is in 'Pending' state for more than 5 minutes. What is the most likely cause?

A.The container image does not exist
B.There are insufficient resources on any node to schedule the pod
C.The pod's readiness probe is failing
D.The pod's liveness probe is failing
AnswerB

Lack of CPU/memory or other constraints keeps the pod pending.

Why this answer

A pod stuck in 'Pending' state for an extended period typically indicates that the scheduler cannot find a suitable node to run the pod. The most common reason is insufficient resources (CPU, memory, or ephemeral storage) on any available node, causing the scheduler to leave the pod unscheduled. This is confirmed by running 'kubectl describe pod web-frontend' and checking the 'Events' section for 'FailedScheduling' messages.

Exam trap

CNCF often tests the distinction between pod states — candidates confuse 'Pending' (scheduling failure) with image pull errors or probe failures, which occur after scheduling and manifest as different states like 'ImagePullBackOff' or 'CrashLoopBackOff'.

How to eliminate wrong answers

Option A is wrong because if the container image does not exist, the pod would transition to 'ImagePullBackOff' or 'ErrImagePull' state, not remain in 'Pending' — the scheduler would still assign the pod to a node first. Option C is wrong because a failing readiness probe causes the pod to be marked as 'NotReady' but it remains in 'Running' state, not 'Pending'. Option D is wrong because a failing liveness probe triggers container restarts and eventually 'CrashLoopBackOff', but the pod is still scheduled and in 'Running' state, not 'Pending'.

447
Multi-Selectmedium

Which TWO of the following are CNCF graduated projects? (Choose two.)

Select 2 answers
A.Helm
B.Linkerd
C.Knative
D.Envoy
E.Kubernetes
AnswersD, E

Envoy is a graduated CNCF project.

Why this answer

Kubernetes and Prometheus are graduated projects. Containerd is graduated, but not listed here. Etcd is graduated, but not listed.

CoreDNS is graduated, but not listed. Envoy is graduated. Knative is incubating.

Linkerd is incubating.

448
Multi-Selectmedium

Which TWO of the following are common log aggregation tools used in Kubernetes environments? (Select two)

Select 2 answers
A.Loki
B.Fluentd
C.Prometheus
D.Jaeger
E.Fluent Bit
AnswersB, E

Fluentd is a widely used log collector and forwarder.

Why this answer

Fluentd and Fluent Bit are both popular log aggregators and forwarders in Kubernetes. Loki is a log storage system, not an aggregator.

449
MCQeasy

What is the smallest deployable unit in Kubernetes that you can create and manage?

A.Service
B.Container
C.Pod
D.Deployment
AnswerC

A Pod is the smallest deployable unit.

Why this answer

A Pod is the smallest and simplest unit in the Kubernetes object model that you can create and deploy. It represents a single instance of a running process in your cluster and encapsulates one or more containers with shared storage and network resources. While containers are the actual runtime environments, Kubernetes does not manage containers directly; it manages Pods, which are the atomic unit of scheduling and lifecycle management.

Exam trap

The trap here is that candidates confuse the container (the runtime technology) with the Pod (the Kubernetes API object), leading them to select 'Container' because they think of Docker containers as the smallest unit, but Kubernetes abstracts containers into Pods as the atomic deployable unit.

How to eliminate wrong answers

Option A is wrong because a Service is an abstraction that defines a logical set of Pods and a policy to access them; it is not a deployable unit but rather a networking resource that sits on top of Pods. Option B is wrong because a Container is not a Kubernetes API object; Kubernetes manages containers only within the context of a Pod, and you cannot create or manage a standalone container via the Kubernetes API. Option D is wrong because a Deployment is a higher-level controller that manages ReplicaSets and Pods; it is not the smallest deployable unit but rather a declarative way to manage Pod scaling and updates.

450
MCQeasy

Which component runs on every worker node and is responsible for ensuring that containers are running in a pod as specified in the PodSpec?

A.container runtime
B.kube-proxy
C.kubelet
D.kube-scheduler
AnswerC

The kubelet is the primary node agent that ensures containers are running in a pod as expected.

Why this answer

The kubelet is the primary node agent that runs on every worker node in a Kubernetes cluster. It is responsible for ensuring that containers described in a PodSpec are running and healthy, by interacting with the container runtime (e.g., containerd, CRI-O) to create, start, and monitor pods. The kubelet does not manage containers that were not created by Kubernetes.

Exam trap

The trap here is that candidates confuse the kubelet with the container runtime, assuming the runtime itself reads PodSpecs, when in fact the kubelet is the orchestrator that translates PodSpecs into runtime actions via the CRI.

How to eliminate wrong answers

Option A is wrong because the container runtime (e.g., containerd, CRI-O) is the software that actually runs containers, but it does not interpret PodSpecs or enforce desired state — it only executes container lifecycle operations when instructed by the kubelet. Option B is wrong because kube-proxy is a network proxy that runs on each node, handling service-to-pod traffic routing via iptables or IPVS rules, and has no role in container lifecycle management. Option D is wrong because kube-scheduler is a control plane component that assigns pods to nodes based on resource availability and constraints, but it does not run on worker nodes and does not manage running containers.

Page 5

Page 6 of 14

Page 7