Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 451525

997 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQhard

A cluster administrator notices that a Deployment's pods are not receiving traffic as expected. The Service selector matches the pod labels. What is a possible cause?

A.The pods have a liveness probe that fails
B.The Deployment replicas are set to zero
C.The pods have a failing readiness probe
D.The Service type is NodePort
AnswerC

Readiness probe determines if a pod should receive traffic. Failing removes pod from Service endpoints.

Why this answer

Service can only forward traffic to pods that are ready (i.e., pass readiness probes). If readiness probe fails, pod is removed from Service endpoints.

452
MCQmedium

Which of the following is a correct apiVersion for a Deployment in a modern Kubernetes cluster (v1.19+)?

A.apiVersion: extensions/v1beta1
B.apiVersion: v1
C.apiVersion: apps/v1
D.apiVersion: apps/v1beta1
AnswerC

apps/v1 is the current stable version for Deployments.

Why this answer

Deployments are stable in the apps/v1 API group.

453
MCQhard

A developer created a Deployment with 5 replicas. After applying the manifest, only 3 pods are Running; the other 2 are Pending. Which is the MOST likely cause?

A.The readiness probe is failing
B.A NetworkPolicy is blocking traffic to the pods
C.The container image is misspelled
D.The nodes do not have enough available CPU or memory to schedule the additional pods
AnswerD

If nodes lack resources, the scheduler leaves pods in Pending state until resources become available.

Why this answer

Pending pods typically indicate that the scheduler cannot find a suitable node. The most common reason is insufficient resources (CPU or memory) on the nodes. Image pull errors or readiness probe failures would result in CrashLoopBackOff or not Ready, not Pending.

Network policies do not prevent pod scheduling.

454
Multi-Selecthard

Which THREE actions can be performed using kubectl without installing additional plugins?

Select 3 answers
A.Run 'kubectl debug' to create a debugging Pod.
B.Run 'kubectl edit deployment' to modify a Deployment in-place.
C.Run 'kubectl auth reconcile' to reconcile RBAC permissions.
D.Run 'kubectl cp' to copy files to and from containers.
E.Run 'kubectl logs' to view the logs of a container in a Pod.
AnswersB, D, E

kubectl edit opens the resource's manifest in an editor, allowing changes.

Why this answer

Option B is correct because 'kubectl edit deployment' is a built-in kubectl command that opens the Deployment's manifest in the default editor, allowing in-place modifications without any additional plugins. It directly interacts with the Kubernetes API to update the resource.

Exam trap

CNCF often tests the distinction between built-in kubectl commands and those requiring plugins, where candidates mistakenly assume that any useful debugging or auth command is native to kubectl.

455
MCQeasy

Which Kubernetes control plane component is responsible for maintaining the desired state of the cluster by running controller loops?

A.etcd
B.kube-apiserver
C.kube-controller-manager
D.kube-scheduler
AnswerC

The kube-controller-manager runs controller loops that reconcile the current state with the desired state.

Why this answer

The kube-controller-manager is the control plane component that runs controller loops, which are continuous processes that watch the shared state of the cluster through the kube-apiserver and make changes to drive the current state toward the desired state. Each controller (e.g., ReplicaSet, Node, Deployment) is a separate loop that handles a specific aspect of cluster management, ensuring that the actual cluster state matches the desired configuration defined in the API objects.

Exam trap

CNCF often tests the misconception that the kube-apiserver handles all cluster logic, but the trap here is that the kube-apiserver only exposes the API and validates requests, while the actual reconciliation loops that enforce desired state are run exclusively by the kube-controller-manager.

How to eliminate wrong answers

Option A is wrong because etcd is a distributed key-value store that holds all cluster data, but it does not run controller loops or enforce desired state; it is a passive storage backend. Option B is wrong because kube-apiserver is the front-end for the Kubernetes API that validates and processes RESTful requests, but it does not execute controller reconciliation logic; it serves as the communication gateway. Option D is wrong because kube-scheduler is responsible for assigning pods to nodes based on resource availability and constraints, not for maintaining the overall desired state of the cluster via controller loops.

456
MCQmedium

In Kustomize, what is the purpose of an overlay?

A.To template values using Go templates
B.To apply patches and modifications on top of a base
C.To define the base set of Kubernetes resources shared across environments
D.To manage Helm releases
AnswerB

Overlays contain patches that customize the base for specific environments.

Why this answer

Overlays in Kustomize allow you to define environment-specific customizations (e.g., dev, prod) on top of a common base configuration.

457
Matchingmedium

Match each Kubernetes storage concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Request for storage by a user, referencing a PersistentVolume

Describes classes of storage with different QoS, backup policies, etc.

Ephemeral volume that shares a pod's lifecycle

Mounts a file or directory from the host node's filesystem

Container Storage Interface standard for pluggable storage drivers

Why these pairings

These are key storage abstractions in Kubernetes.

458
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Delete and recreate the pod to clear the crash loop
C.Increase the CPU request for the container
D.Delete the namespace and redeploy all workloads
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

459
MCQhard

You want to run a batch job that processes a queue and then terminates. Which Kubernetes resource should you use?

A.Job
B.Deployment
C.CronJob
D.DaemonSet
AnswerA

Jobs are designed for finite tasks that run to completion.

Why this answer

A Job creates one or more pods and ensures they run successfully to completion. For batch processing that terminates, a Job is appropriate.

460
MCQmedium

What is the purpose of the circuit breaker pattern in a microservices architecture?

A.To balance load across multiple instances
B.To handle authentication between services
C.To encrypt data in transit
D.To prevent a service from being overwhelmed by requests when it is failing
AnswerD

The circuit breaker pattern stops requests to a failing service, allowing it to recover.

Why this answer

Option D is correct because the circuit breaker pattern is a stability pattern that monitors for failures and prevents a service from making requests to a failing downstream service, allowing it to recover. When the failure rate exceeds a threshold (e.g., 50% of requests fail within a 10-second sliding window), the circuit 'opens' and subsequent calls fail immediately without consuming resources. This prevents cascading failures and resource exhaustion in distributed systems like Kubernetes or Spring Cloud.

Exam trap

CNCF often tests the distinction between 'preventing overload from a failing service' (circuit breaker) and 'distributing load across healthy instances' (load balancer), so candidates mistakenly pick load balancing when they see 'overwhelmed by requests' in the question.

How to eliminate wrong answers

Option A is wrong because load balancing distributes incoming traffic across healthy instances (e.g., via Round Robin or Least Connections), not preventing overload from a failing service. Option B is wrong because authentication between services is handled by mechanisms like OAuth2, JWT, or mTLS, not by the circuit breaker pattern. Option C is wrong because encrypting data in transit is achieved via TLS/SSL (e.g., HTTPS, gRPC with TLS), not by circuit breakers which operate at the application or network layer to manage fault tolerance.

461
MCQhard

The exhibit shows pod status and logs. The web pod lmn34 has restarted 3 times. What is the root cause of the liveness probe failure?

A.The container is hitting a memory limit and being OOMKilled.
B.A network policy is blocking traffic to the database.
C.The database service is not reachable, causing the application to fail its health check.
D.The readiness probe is misconfigured and not allowing traffic.
AnswerC

The log indicates a database connection failure, and the liveness probe returns 503, causing restarts.

Why this answer

The liveness probe failure is caused by the database service being unreachable, which prevents the application from completing its health check. When the database is down or network connectivity is lost, the application's health endpoint returns a non-200 status code, causing Kubernetes to restart the container. The 3 restarts indicate repeated probe failures, and the logs show connection errors to the database, confirming this as the root cause.

Exam trap

CNCF often tests the distinction between liveness and readiness probes, where candidates confuse readiness probe misconfiguration (which only affects traffic routing) with liveness probe failures (which cause container restarts).

How to eliminate wrong answers

Option A is wrong because OOMKilled would show a container exit code of 137 and a 'OOMKilled' reason in pod status, not just restarts with probe failures. Option B is wrong because a network policy blocking traffic to the database would cause persistent connection failures, but the exhibit shows no evidence of network policy configuration or related errors. Option D is wrong because readiness probe misconfiguration affects traffic routing, not container restarts; liveness probe failures cause restarts, and readiness probe failures only remove the pod from service endpoints.

462
MCQhard

What is context propagation in distributed tracing?

A.Sampling traces to reduce data volume
B.Visualizing traces in a user interface
C.Carrying trace context (trace ID, span ID) across services
D.Storing trace data in a centralized database
AnswerC

Context propagation passes metadata to correlate spans.

Why this answer

Context propagation carries trace context across service boundaries to connect spans into a single trace.

463
MCQmedium

You notice that a pod is in 'Pending' state for a long time. Which of the following is the most likely cause?

A.The pod's liveness probe is failing.
B.No node has enough CPU or memory to meet the pod's requests.
C.The pod's readiness probe is not configured.
D.The container image does not exist.
AnswerB

Insufficient resources prevent scheduling, leaving the pod Pending.

Why this answer

A pod remains Pending if the scheduler cannot find a node that satisfies its resource requests or other constraints.

464
MCQmedium

You want to ensure that a Pod runs on every Node in the cluster. Which resource should you use?

A.Deployment
B.DaemonSet
C.ReplicaSet
D.StatefulSet
AnswerB

DaemonSets run a Pod on each Node (or a subset if nodeSelector is used).

Why this answer

A DaemonSet ensures that a copy of a Pod runs on every Node in the cluster, including when new Nodes are added. This is the correct resource for cluster-wide services like log collectors, monitoring agents, or kube-proxy, as it automatically schedules a Pod on each Node and respects node taints and tolerations.

Exam trap

CNCF often tests the misconception that a Deployment with a replica count equal to the number of Nodes will achieve the same effect, but candidates overlook that Deployments do not enforce per-Node scheduling and can leave some Nodes empty due to scheduling constraints or resource limits.

How to eliminate wrong answers

Option A is wrong because a Deployment manages a set of identical Pods with a desired replica count, but it does not guarantee placement on every Node; it uses a scheduler to distribute Pods across available Nodes, which may leave some Nodes empty. Option C is wrong because a ReplicaSet is a lower-level resource that ensures a specified number of Pod replicas are running, but it has no mechanism to enforce per-Node scheduling; it is typically used by Deployments for replica management. Option D is wrong because a StatefulSet is designed for stateful applications that require stable, unique network identities and persistent storage, not for running a Pod on every Node; it uses ordinal indexing and can be scheduled on a subset of Nodes.

465
MCQeasy

What is the primary purpose of the kube-scheduler in a Kubernetes cluster?

A.Assigning pods to nodes
B.Running container runtime operations
C.Storing the cluster state
D.Exposing the Kubernetes API
AnswerA

The kube-scheduler selects a suitable node for each unscheduled pod.

Why this answer

The kube-scheduler is responsible for assigning pending pods to worker nodes based on resource availability and constraints.

466
MCQhard

An application requires that a set of Pods each be assigned a unique DNS name that can be used for peer-to-peer communication. Which Kubernetes resource should be used?

A.Job with a Service
B.DaemonSet with a Service
C.StatefulSet with a Headless Service
D.Deployment with a Service
AnswerC

StatefulSets assign stable, unique DNS names to pods, typically used with a Headless Service for peer discovery.

Why this answer

A StatefulSet with a Headless Service is correct because StatefulSets assign each Pod a stable, unique network identity (e.g., pod-name-0.service-name.namespace.svc.cluster.local) that persists across rescheduling. A Headless Service (clusterIP: None) disables load balancing and DNS round-robin, allowing direct DNS resolution to individual Pod IPs for peer-to-peer communication. This matches the requirement for unique DNS names for each Pod.

Exam trap

The trap here is that candidates often assume any Service provides unique DNS names, but only a Headless Service combined with a StatefulSet yields per-Pod DNS entries; a regular Service (ClusterIP or NodePort) always load-balances to a single virtual IP.

How to eliminate wrong answers

Option A is wrong because a Job is designed for batch processing tasks that run to completion, not for long-running Pods requiring stable DNS identities; a Service with a Job would still use a regular ClusterIP, which load-balances across Pods and does not provide unique per-Pod DNS names. Option B is wrong because a DaemonSet ensures one Pod per Node but does not guarantee stable, unique DNS names for each Pod; combined with a regular Service, DNS resolves to the Service IP, not individual Pods. Option D is wrong because a Deployment creates identical, interchangeable Pods with no stable identity; a regular Service provides a single DNS name that load-balances across all Pods, not unique per-Pod DNS names.

467
MCQeasy

A startup wants to minimize downtime during application updates in Kubernetes. Which deployment strategy should they use?

A.RollingUpdate
B.Canary
C.Blue/Green
D.Recreate
AnswerA

Replaces pods incrementally, maintaining availability.

Why this answer

The RollingUpdate strategy is the default in Kubernetes and minimizes downtime by gradually replacing old Pods with new ones while the application remains available. It uses a configurable `maxSurge` and `maxUnavailable` parameters to control the rate of change, ensuring that a specified number of Pods are always serving traffic. This makes it ideal for startups seeking zero-downtime updates without the complexity of additional tooling or infrastructure.

Exam trap

The trap here is that candidates often confuse 'minimizing downtime' with 'risk mitigation' and pick Canary or Blue/Green, but the question specifically asks for the simplest strategy to minimize downtime during updates, which is RollingUpdate by default in Kubernetes.

How to eliminate wrong answers

Option B (Canary) is wrong because while it reduces risk by routing a small percentage of traffic to the new version, it is not primarily designed to minimize downtime during updates; it focuses on validating changes with a subset of users and often requires additional service mesh or ingress configuration. Option C (Blue/Green) is wrong because it minimizes downtime by running two full environments and switching traffic instantly, but it doubles resource costs and is not the simplest or most cost-effective choice for a startup aiming to minimize downtime without extra overhead. Option D (Recreate) is wrong because it terminates all old Pods before creating new ones, causing guaranteed downtime during the update, which directly contradicts the goal of minimizing downtime.

468
MCQmedium

Which command would you use to get the logs of a pod named 'backend' in the 'production' namespace?

A.kubectl log pod backend -n production
B.kubectl get logs backend -n production
C.kubectl logs -n production pod/backend
D.kubectl logs backend --namespace=production
AnswerD

Correct syntax using --namespace flag.

Why this answer

Option D is correct because `kubectl logs` is the correct command to retrieve pod logs in Kubernetes, and `--namespace=production` (or `-n production`) specifies the namespace. The syntax `kubectl logs <pod-name> --namespace=<namespace>` is the standard, valid form. This command fetches the current logs from the pod's default container.

Exam trap

The trap here is that candidates confuse `kubectl get` (used for listing resources) with `kubectl logs` (used for retrieving logs), and may also incorrectly add the resource type prefix `pod/` which is valid for `kubectl describe` or `kubectl delete` but not for `kubectl logs`.

How to eliminate wrong answers

Option A is wrong because the verb is `log` instead of `logs`; `kubectl log` is not a valid command. Option B is wrong because `kubectl get logs` is not a valid subcommand; `get` is used for resources like pods, not logs. Option C is wrong because the syntax `kubectl logs -n production pod/backend` is incorrect; the resource type prefix `pod/` is not used with `kubectl logs` — the correct form is `kubectl logs backend -n production`.

469
MCQeasy

Which Kubernetes object provides a stable IP address and DNS name for a set of Pods?

A.Ingress
B.ConfigMap
C.Service
D.Deployment
AnswerC

A Service abstracts a set of Pods and provides a stable IP and DNS name.

Why this answer

A Service provides a stable virtual IP address and a DNS name (e.g., my-svc.namespace.svc.cluster.local) that remains constant even as Pods are created or destroyed. This enables reliable network access to a dynamic set of Pods selected via labels, abstracting away Pod IP volatility.

Exam trap

CNCF often tests the misconception that a Deployment provides a stable network identity, when in fact it only manages Pod replicas and their lifecycle, while the Service object is solely responsible for stable IP/DNS abstraction.

How to eliminate wrong answers

Option A is wrong because an Ingress is not an IP/DNS provider for Pods; it is an API object that manages external HTTP/HTTPS routing to Services, typically using a load balancer or reverse proxy, and does not assign a stable IP to Pods directly. Option B is wrong because a ConfigMap is used to store non-confidential configuration data as key-value pairs or files, and it has no networking or IP assignment functionality. Option D is wrong because a Deployment manages the desired state and lifecycle of Pods (e.g., scaling, rolling updates) but does not provide a stable network endpoint; Pods created by a Deployment receive ephemeral IPs that change on restart.

470
Multi-Selecthard

Which two scenarios would benefit from using a StatefulSet instead of a Deployment? (Choose two.)

Select 2 answers
A.An application that requires persistent storage unique to each instance
B.A database cluster that requires stable network identities
C.A batch job that runs once and exits
D.A stateless web application that can scale horizontally
E.A microservice that can use any available node
AnswersA, B

StatefulSet can use PersistentVolumeClaims with unique volumes per pod.

Why this answer

StatefulSet provides stable network identities and persistent storage per pod, suitable for stateful applications like databases.

471
MCQmedium

A container image is built from a Dockerfile with multiple layers. Which statement about container image layers is TRUE?

A.Each layer is created by a RUN instruction and can be modified after the image is built
B.Each layer is unique to the image and cannot be shared with other images
C.Layers are read-only and can be reused across different images
D.All layers in a container image are writable at runtime
AnswerC

Image layers are read-only and are shared across images that use the same base or intermediate layers, improving efficiency.

Why this answer

Option C is correct because container image layers are read-only and are stored in a content-addressable storage (e.g., overlayfs, aufs). These layers can be reused across different images when they share the same content hash, which is a fundamental efficiency of Docker's union filesystem. This layer sharing reduces disk usage and speeds up image pulls.

Exam trap

CNCF often tests the misconception that all layers are writable at runtime, but in reality only the container's writable layer is mutable, while the underlying image layers remain read-only.

How to eliminate wrong answers

Option A is wrong because each layer is created by any instruction in the Dockerfile (not just RUN), and layers are immutable after the image is built; they cannot be modified. Option B is wrong because layers are identified by their content hash (SHA256) and are shared between images that use the same base layers, such as multiple images based on the same Ubuntu base. Option D is wrong because at runtime, a thin writable container layer is added on top of the read-only image layers; the image layers themselves remain read-only.

472
MCQeasy

What is the primary purpose of a Kubernetes Service?

A.To expose a set of pods as a network service with a stable endpoint
B.To provide persistent storage for pods
C.To store configuration data for pods
D.To manage rolling updates of applications
AnswerA

A Service provides a stable endpoint and load balancing for pods.

Why this answer

A Kubernetes Service provides a stable network endpoint (IP address and DNS name) to access a set of pods, which are ephemeral and can be rescheduled with different IPs. It acts as an abstraction layer, enabling load-balanced traffic to the pods via kube-proxy and iptables/IPVS rules. This is the core purpose of a Service, as defined in the Kubernetes API.

Exam trap

CNCF often tests the misconception that a Service manages pod lifecycle or updates, but the trap here is confusing the role of a Service (stable network abstraction) with that of a Deployment (reconciliation and rolling updates).

How to eliminate wrong answers

Option B is wrong because persistent storage for pods is provided by PersistentVolume (PV) and PersistentVolumeClaim (PVC) resources, not by a Service. Option C is wrong because configuration data for pods is stored in ConfigMaps or Secrets, not in a Service. Option D is wrong because managing rolling updates of applications is the responsibility of a Deployment (or StatefulSet), which uses a ReplicaSet to control the update strategy; a Service only exposes the pods, it does not manage their lifecycle or updates.

473
MCQeasy

What is the primary purpose of structured logging?

A.To format logs in a consistent, machine-readable way for easier processing
B.To compress log files and reduce storage usage
C.To encrypt log data for security purposes
D.To send logs directly to the user's terminal
AnswerA

Correct. Structured logging uses formats like JSON to enable automated analysis.

Why this answer

Structured logging outputs logs in a consistent, machine-readable format (e.g., JSON) making it easier to parse, filter, and analyze log data.

474
Drag & Dropmedium

Drag and drop the steps to create a Kubernetes deployment using kubectl into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, define the deployment in a YAML file, then apply it, verify creation, check pods, and optionally expose it as a service.

475
MCQmedium

You want to view the logs of a container named 'app' inside a pod named 'web-pod-7d4f8'. Which kubectl command should you use?

A.kubectl exec web-pod-7d4f8 -c app -- logs
B.kubectl log web-pod-7d4f8 --container app
C.kubectl logs web-pod-7d4f8 -c app
D.kubectl logs web-pod-7d4f8 app
AnswerC

This is the correct command to view logs of a specific container in a pod.

Why this answer

kubectl logs is used to fetch container logs. When a pod has multiple containers, the -c flag specifies the container. Options A and B have incorrect syntax; option D is for running commands in a container, not viewing logs.

476
MCQmedium

A Deployment manages ReplicaSets. What is the primary benefit of using a Deployment over directly managing ReplicaSets?

A.Deployments can expose services externally
B.Deployments support rolling updates and rollbacks
C.Deployments automatically configure DNS
D.Deployments provide persistent storage
AnswerB

Deployments enable controlled updates with revision history.

Why this answer

The primary benefit of using a Deployment over directly managing ReplicaSets is that Deployments provide declarative updates for Pods and ReplicaSets, including built-in support for rolling updates and rollbacks. This allows you to update the desired state (e.g., a new container image version) and have the Deployment controller automatically orchestrate the transition, while also enabling you to revert to a previous revision if the update fails. Directly managing ReplicaSets would require manual steps to scale down old ReplicaSets and scale up new ones, and it lacks the automated revision history and rollback capabilities that Deployments offer.

Exam trap

CNCF often tests the misconception that Deployments directly manage Pods, but the trap here is that candidates may confuse the Deployment's high-level features (like rolling updates) with other Kubernetes resources (Services, DNS, storage) that handle networking, naming, or data persistence, leading them to pick a wrong answer that describes a capability of a different resource.

How to eliminate wrong answers

Option A is wrong because Deployments do not expose services externally; that is the role of a Service (e.g., NodePort, LoadBalancer) or an Ingress resource. Option C is wrong because Deployments do not automatically configure DNS; DNS resolution for Pods and Services is handled by CoreDNS (or kube-dns) based on Service objects, not Deployments. Option D is wrong because Deployments do not provide persistent storage; persistent storage is managed through PersistentVolumeClaims (PVCs) and StorageClasses, which are referenced by Pods in a Deployment's template, but the Deployment itself does not provision or attach storage.

477
MCQmedium

Which command would you use to view the logs of a container named 'sidecar' inside a pod named 'app'?

A.kubectl logs app -c sidecar
B.kubectl logs app sidecar
C.kubectl logs sidecar app
D.kubectl logs sidecar -p app
AnswerA

This command retrieves logs from the specified container.

Why this answer

Use `kubectl logs` with the `-c` flag to specify the container name when a pod has multiple containers.

478
MCQhard

A startup is designing a cloud-native application that processes IoT sensor data. The data arrives in bursts, and processing must be fault-tolerant with exactly-once semantics. The team considers Apache Kafka, RabbitMQ, and Amazon SQS. Which choice best meets the requirements of a cloud-native architecture?

A.Use Apache Kafka with idempotent producers and transactional APIs.
B.Use Amazon SQS with FIFO queues for ordering and deduplication.
C.Use RabbitMQ with publisher confirms and consumer acknowledgements.
D.Implement an HTTP endpoint that the IoT devices call directly.
AnswerA

Kafka's transactional support ensures exactly-once semantics, and its log-based architecture handles bursty data well.

Why this answer

Apache Kafka with idempotent producers and transactional APIs is the correct choice because it provides exactly-once semantics (EOS) for bursty IoT data in a cloud-native architecture. Kafka's transactional API ensures atomic writes across partitions, while idempotent producers prevent duplicate records from retries, meeting the fault-tolerance and exactly-once requirements. Kafka also scales horizontally and handles high-throughput bursts natively, aligning with cloud-native principles.

Exam trap

CNCF often tests the misconception that FIFO queues or publisher confirms provide exactly-once semantics, but they only guarantee at-least-once delivery with deduplication or ordering, not the atomic, idempotent write guarantees that Kafka's transactional API provides.

How to eliminate wrong answers

Option B is wrong because Amazon SQS FIFO queues offer at-least-once delivery with deduplication, not exactly-once semantics; deduplication relies on a 5-minute deduplication ID window, which can fail for bursty data with delayed retries. Option C is wrong because RabbitMQ with publisher confirms and consumer acknowledgements provides at-least-once delivery, not exactly-once; consumer acknowledgements can cause duplicate processing if the consumer crashes after processing but before acknowledging. Option D is wrong because an HTTP endpoint called directly by IoT devices is not fault-tolerant and cannot guarantee exactly-once semantics; HTTP is stateless and prone to duplicate requests from retries, with no built-in ordering or deduplication.

479
MCQmedium

Which tool is primarily used for distributed tracing in cloud native environments?

A.Grafana
B.Fluentd
C.Jaeger
D.Prometheus
AnswerC

Jaeger is a distributed tracing tool.

Why this answer

Jaeger is a popular open-source distributed tracing system.

480
MCQmedium

What does the 'kubectl get pods' command display?

A.Detailed information about a specific pod
B.A list of all pods in the current namespace
C.The YAML definition of a pod
D.The logs of all pods
AnswerB

kubectl get pods lists pods with name, ready status, and other columns.

Why this answer

kubectl get pods lists all pods in the current namespace with basic status.

481
Multi-Selectmedium

Which THREE of the following are benefits of structured logging? (Select three.)

Select 3 answers
A.Easier querying and filtering
B.More human-readable than plain text
C.Reduced storage requirements
D.Machine-parseable output
E.Consistent field names across services
AnswersA, D, E

Fields can be indexed and queried.

Why this answer

Structured logging provides machine-parseable output, enables easier querying and analysis, and ensures consistent field naming. Human readability is not a primary benefit; structured logs can be less human-friendly than plain text.

482
MCQmedium

In serverless computing, what is the primary characteristic of Function-as-a-Service (FaaS)?

A.Stateful execution
B.Always running instances
C.Auto-scaling to zero
D.Manual scaling
AnswerC

Why this answer

FaaS enables functions to scale automatically from zero based on demand, often event-driven.

483
MCQmedium

You have a Deployment named 'web-app' running three replicas. You need to scale it to five replicas. Which kubectl command accomplishes this?

A.kubectl set deployment web-app replicas=5
B.kubectl patch deployment web-app -p '{"replicas":5}'
C.kubectl scale deployment web-app --replicas=5
D.kubectl update deployment web-app --replicas=5
AnswerC

This correctly scales the deployment to 5 replicas.

Why this answer

The 'scale' command is used to change the number of replicas in a Deployment.

484
MCQmedium

A container image is being pushed to a private registry. What is the correct workflow?

A.Push first, then build
B.Push, tag, build
C.Build, tag, push
D.Tag after push
AnswerC

This is the correct sequence.

Why this answer

The standard workflow is: build image, tag it with registry URL, then push to registry.

485
Multi-Selecthard

Which TWO of the following are true about Kubernetes Pods?

Select 2 answers
A.Containers in a pod always have isolated filesystems
B.A pod is the smallest deployable unit in Kubernetes
C.A pod can contain multiple containers that share the same network namespace
D.Pods are designed to be long-lived and never terminated
E.Each container in a pod gets its own IP address
AnswersB, C

Pods are the smallest and most basic deployable objects.

Why this answer

Option B is correct because a Pod is the smallest and most fundamental deployable unit in Kubernetes. It represents a single instance of a running process in the cluster and encapsulates one or more containers with shared storage and network resources. You cannot deploy a container directly; you must always wrap it in a Pod.

Exam trap

The trap here is that candidates often confuse Pods with virtual machines, assuming each container gets its own IP and filesystem isolation, when in fact Pods are designed for tight coupling and shared resources.

486
MCQmedium

An organization wants to implement a serverless function that scales to zero when not in use. Which technology is specifically designed to achieve this on Kubernetes?

A.Knative
B.Prometheus
C.Istio
D.Kubernetes Horizontal Pod Autoscaler (HPA)
AnswerA

Knative Serving provides automatic scaling, including scaling to zero.

Why this answer

Knative Serving supports scale-to-zero, automatically scaling down pods when they are not receiving requests. This is a key feature of serverless on Kubernetes.

487
MCQmedium

You need to run a batch job that processes a queue of 1000 items. The job should run to completion and then terminate. Which Kubernetes resource is BEST suited for this workload?

A.DaemonSet
B.Job
C.Deployment
D.StatefulSet
AnswerB

A Job creates one or more pods and ensures they successfully terminate; ideal for batch workloads.

Why this answer

A Kubernetes Job is designed for batch processing tasks that run to completion and then terminate. It creates one or more Pods and ensures that a specified number of them successfully terminate. For a queue of 1000 items, a Job can be configured with a parallelism value and a completions count to process all items and then exit, making it the ideal resource for this workload.

Exam trap

CNCF often tests the distinction between workloads that run to completion (Jobs) versus those that are expected to run indefinitely (Deployments, DaemonSets), and the trap here is that candidates may choose Deployment because they associate it with 'running a job' in a general sense, without realizing that a Deployment's default behavior is to maintain a desired number of running Pods and restart them if they exit.

How to eliminate wrong answers

Option A is wrong because a DaemonSet ensures that a copy of a Pod runs on every (or selected) Node in the cluster, which is intended for long-running background services like log collection or monitoring, not for batch jobs that terminate. Option C is wrong because a Deployment manages a set of Pods to run continuously (e.g., web servers) and will restart Pods if they exit, which is the opposite of a batch job that should terminate after completion. Option D is wrong because a StatefulSet is used for stateful applications that require stable network identities and persistent storage (e.g., databases), not for ephemeral batch processing tasks.

488
MCQmedium

You have a Kubernetes cluster with multiple namespaces. You need to allow communication only from pods with label 'app: frontend' to pods with label 'app: backend' in the same namespace. Which resource should you use?

A.RBAC Role
B.NetworkPolicy
C.PodSecurityPolicy
D.Service
AnswerB

NetworkPolicy defines rules for allowed ingress and egress traffic between pods based on pod labels, namespaces, or IP blocks.

Why this answer

A NetworkPolicy is used to control ingress and egress traffic to pods based on labels and other selectors. It can be used to restrict communication between pods.

489
MCQeasy

Which Kubernetes control plane component is responsible for maintaining the desired state of the cluster by running reconciliation loops?

A.kube-scheduler
B.etcd
C.kube-apiserver
D.kube-controller-manager
AnswerD

The controller manager runs controllers that implement reconciliation loops to ensure the actual state matches the desired state.

Why this answer

The kube-controller-manager is the control plane component that runs controller processes, each of which watches the current state of the cluster via the kube-apiserver and makes changes to drive the actual state toward the desired state defined in etcd. This reconciliation loop pattern is fundamental to Kubernetes' self-healing behavior, ensuring that resources like deployments, replica sets, and nodes match their specifications.

Exam trap

CNCF often tests the misconception that etcd is responsible for maintaining desired state because it stores the desired state, but the trap is that etcd is only a data store and does not execute reconciliation loops—that is the job of the kube-controller-manager.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is responsible for assigning newly created pods to nodes based on resource requirements and policies, not for maintaining desired state via reconciliation loops. Option B is wrong because etcd is a distributed key-value store that holds the cluster's configuration and state data, but it does not run reconciliation logic or enforce desired state. Option C is wrong because kube-apiserver serves as the front-end for the Kubernetes control plane, exposing the REST API and validating requests, but it does not perform continuous reconciliation; it is the gateway through which controllers interact.

490
MCQmedium

Which of the following best describes 'Infrastructure as Code' (IaC)?

A.Manually configuring servers via SSH
B.Using a scripting language to automate tasks
C.Running containers on a Kubernetes cluster
D.Defining infrastructure resources in a declarative configuration file
AnswerD

IaC uses declarative or imperative code to define infrastructure, promoting version control and reproducibility.

Why this answer

IaC is the practice of managing and provisioning infrastructure through machine-readable definition files, rather than manual processes.

491
Multi-Selectmedium

Which TWO of the following are CNCF graduated projects? (Select 2)

Select 2 answers
A.Prometheus
B.Kyverno
C.Knative
D.Envoy
E.ArgoCD
AnswersA, D

Prometheus is a graduated CNCF project.

Why this answer

Prometheus and Envoy are both CNCF graduated projects. CoreDNS is also graduated, but the question asks for two; Fluentd and Helm are both graduated as well, but the correct answers here are Prometheus and Envoy.

492
MCQmedium

A development team wants to adopt a cloud-native architecture for a new application. Which set of principles BEST describes the cloud-native approach?

A.Microservices, containers, dynamic orchestration, and DevOps
B.Service-oriented architecture, bare-metal servers, static scaling, and Agile
C.Monolithic applications, virtual machines, manual scaling, and waterfall development
D.Serverless functions, virtual machines, manual provisioning, and ITIL
AnswerA

These are the core cloud-native principles as defined by the CNCF.

Why this answer

Cloud-native architectures leverage microservices, containers, dynamic orchestration, and DevOps to enable scalable, resilient applications.

493
Drag & Dropmedium

Drag and drop the steps to set up a Kubernetes cluster using kubeadm into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First install runtime and Kubernetes tools, then init control plane, add network plugin, and join workers.

494
Multi-Selectmedium

Which TWO of the following are control plane components? (Select TWO)

Select 2 answers
A.etcd
B.kube-apiserver
C.kube-proxy
D.kubelet
E.Container runtime
AnswersA, B

Yes, etcd is a control plane component.

Why this answer

kube-apiserver and etcd are control plane components. kubelet and kube-proxy are worker node components.

495
MCQhard

A pod is stuck in the Pending state. Running 'kubectl describe pod <pod-name>' shows the event: '0/3 nodes are available: 1 node had taint {node.kubernetes.io/disk-pressure: }, 2 nodes had taint {node.kubernetes.io/memory-pressure: }'. What is the most likely cause?

A.All nodes have taints that the pod does not have tolerations for
B.The container image is not found in the registry
C.The pod has a resource request that exceeds available capacity on all nodes
D.The pod's liveness probe is failing
AnswerA

The event indicates that each node has a taint (disk-pressure or memory-pressure) and the pod lacks corresponding tolerations.

Why this answer

The pod is stuck in Pending because the scheduler cannot find a node that satisfies its scheduling constraints. The events show that all three nodes have taints (disk-pressure and memory-pressure), and the pod does not have corresponding tolerations to allow it to be scheduled on those nodes. Without tolerations, the pod is not permitted to run on any of the available nodes, leaving it in the Pending state.

Exam trap

CNCF often tests the distinction between taints/tolerations and resource constraints, where candidates mistakenly attribute a Pending state to resource exhaustion when the actual cause is missing tolerations for node taints.

How to eliminate wrong answers

Option B is wrong because a missing container image would cause an ImagePullBackOff or ErrImagePull error, not a Pending state with node taint events. Option C is wrong because resource requests exceeding capacity would produce events like 'Insufficient memory' or 'Insufficient cpu', not taint-related messages. Option D is wrong because a failing liveness probe only affects running pods (causing restarts or CrashLoopBackOff), not pods that have never been scheduled.

496
MCQmedium

A pod has a liveness probe that returns failure. What action will Kubernetes take?

A.The container will be restarted
B.The service endpoint will be removed
C.The pod will be deleted
D.The pod will be rescheduled to another node
AnswerA

The liveness probe restart the container to recover from a deadlock.

Why this answer

A failing liveness probe causes the kubelet to restart the container according to the pod's restart policy.

497
MCQeasy

Which of the following is NOT a responsibility of the kubelet on a worker node?

A.Ensure containers are running as defined in the PodSpec
B.Report node and pod status to the API server
C.Assign Pods to nodes based on resource requirements
D.Execute liveness and readiness probes
AnswerC

Pod assignment is the job of the kube-scheduler.

Why this answer

The kubelet does not perform scheduling; scheduling is done by the kube-scheduler.

498
MCQhard

You want to create a new Namespace called 'staging' and apply a ResourceQuota to it. Which of the following YAML snippets correctly defines a ResourceQuota that limits total memory to 10Gi and total CPU to 5 cores in namespace 'staging'?

A.apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: staging-quota\n namespace: staging\nspec:\n hard:\n requests.cpu: "5"\n requests.memory: 10Gi
B.apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: staging-quota\n namespace: staging\nspec:\n hard:\n limits.cpu: "5"\n limits.memory: 10Gi
C.apiVersion: v1\nkind: LimitRange\nmetadata:\n name: staging-limits\n namespace: staging\nspec:\n limits:\n - default:\n cpu: 5\n memory: 10Gi\n defaultRequest:\n cpu: 1\n memory: 1Gi
D.apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: staging-quota\nspec:\n hard:\n cpu: 5\n memory: 10Gi
AnswerB

Correct syntax for ResourceQuota.

Why this answer

ResourceQuota uses 'spec.hard' with resource names like 'limits.cpu' and 'limits.memory'.

499
MCQmedium

Which command would you use to apply a manifest file 'deployment.yaml' to a Kubernetes cluster?

A.kubectl run deployment.yaml
B.kubectl set image deployment.yaml
C.kubectl apply -f deployment.yaml
D.kubectl create -f deployment.yaml
AnswerC

kubectl apply creates or updates resources declaratively.

Why this answer

The 'kubectl apply' command is used to apply or update resources from a manifest file.

500
MCQeasy

What is the purpose of a Namespace in Kubernetes?

A.To assign IP addresses to services
B.To limit the number of pods that can be created
C.To logically isolate resources like pods and services
D.To provide DNS names for pods
AnswerC

Namespaces provide logical isolation.

Why this answer

Namespaces provide a mechanism to logically isolate groups of resources within a single cluster. They are useful for separating environments (e.g., dev, prod) or teams.

501
Multi-Selecthard

Which THREE of the following are key capabilities of progressive delivery tools like Argo Rollouts?

Select 3 answers
A.Integration with feature flag systems
B.Automated rollback based on metrics or health checks
C.Automatic image vulnerability scanning
D.Traffic splitting between old and new versions
E.Replacing the need for CI/CD pipelines
AnswersA, B, D

Argo Rollouts can integrate with feature flags to control exposure.

Why this answer

Progressive delivery tools enable traffic splitting, automated rollbacks based on metrics, and integration with feature flags.

502
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To provide commercial support for Kubernetes
B.To host and promote open-source cloud native projects
C.To certify cloud providers
D.To develop proprietary cloud software
AnswerB

CNCF's mission is to make cloud native computing ubiquitous by hosting projects like Kubernetes, Prometheus, etc.

Why this answer

The CNCF hosts and nurtures open-source, vendor-neutral cloud native projects, fostering their growth and adoption.

503
Multi-Selecthard

Which THREE statements about Labels and Selectors are correct?

Select 3 answers
A.Services use selectors to determine which Pods receive traffic
B.Selectors are used by Deployments to identify the Pods they manage
C.Labels can be used to organize and select subsets of objects
D.Labels must be unique within a namespace
E.Annotations are used for identification and selection
AnswersA, B, C

Services use label selectors to route traffic to matching Pods.

Why this answer

Option A is correct because a Kubernetes Service uses a label selector to identify which Pods should receive traffic. When a Service is created with a selector matching certain labels, the endpoint controller dynamically updates the Service's Endpoints object to include the IP addresses of all Pods with those labels, enabling traffic routing.

Exam trap

CNCF often tests the distinction between labels and annotations, trapping candidates who assume annotations can also be used for selection, when in fact only labels support selector-based filtering.

504
MCQhard

You have a multi-container pod with a main application container and a sidecar container that handles log shipping. The sidecar container should start before the main container and stop after the main container finishes. Which pod configuration should you use?

A.Define the sidecar as an init container
B.Use the 'startupOrder' field in the pod spec
C.Kubernetes does not natively guarantee startup and shutdown order among containers in a pod
D.Set the sidecar container's command to a script that waits for the main container's port to become available before starting
AnswerC

Containers in a pod start in parallel and terminate in parallel; ordering is not guaranteed without custom logic.

Why this answer

Kubernetes does not guarantee startup order between containers in the same pod; they start in parallel. However, lifecycle hooks can be used to enforce ordering: the sidecar can use a postStart hook to delay, or a preStop hook to wait. Using a postStart hook in the main container to signal the sidecar is not standard.

The correct approach is to use Init Containers for startup ordering, but the sidecar needs to run alongside, so the best answer is to use a postStart hook in the sidecar to wait for the main container to be ready, or to rely on readiness probes. However, the question expects understanding that strict ordering is not natively supported. Option A is a workaround using a startup script; Option B is not a feature; Option C is incorrect because init containers run sequentially and terminate before app containers; Option D correctly states that Kubernetes does not guarantee startup order.

505
Multi-Selectmedium

Which three of the following are valid ways to interact with the Kubernetes API? (Select THREE.)

Select 3 answers
A.Using a Kubernetes client library (e.g., client-go)
B.Using the 'kubeadm' command
C.Using the Docker CLI
D.Using kubectl command-line tool
E.Direct HTTP requests to the API server using tools like curl
AnswersA, D, E

Client libraries wrap API calls.

Why this answer

kubectl, curl, and client libraries are common API interaction methods.

506
MCQeasy

Which command is used to view detailed information about a specific pod?

A.kubectl exec pod -- /bin/sh
B.kubectl logs pod
C.kubectl describe pod
D.kubectl get pod
AnswerC

This command provides detailed information about a pod.

Why this answer

kubectl describe pod provides detailed information including events, status, and configuration.

507
Multi-Selecthard

Which THREE of the following are true about Kubernetes Namespaces?

Select 3 answers
A.PersistentVolumes are namespaced
B.NetworkPolicy can be used to control traffic between pods in different namespaces
C.Nodes are namespaced resources
D.You can apply ResourceQuota to limit resource consumption in a namespace
E.Namespaces are used to isolate resources like Pods and Services
AnswersB, D, E

NetworkPolicy can allow or deny traffic between namespaces when properly configured.

Why this answer

Namespaces provide scope for names and are a way to divide cluster resources between multiple users. They support resource quotas. However, nodes and persistent volumes are cluster-scoped and not namespaced.

Network policies can be applied within a namespace.

508
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Increase the CPU request for the container
C.Delete and recreate the pod to clear the crash loop
D.Delete the namespace and redeploy all workloads
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

509
MCQmedium

You run the command 'kubectl get pods -n default' and see no pods listed. However, you are sure there should be pods. What is the most likely cause?

A.The current kubectl context is connected to a different cluster
B.All pods are in the 'kube-system' namespace
C.The kube-apiserver is down
D.The pods are in the 'Pending' state and not listed
AnswerA

The kubectl context determines which cluster and namespace you are interacting with. A wrong context would show resources from another cluster.

Why this answer

If kubectl shows no pods but you expect them, the most common cause is that the current kubeconfig context is pointing to the wrong cluster or namespace. Option A is possible but less likely because default namespace typically has pods. Option B is correct.

Option C would cause errors, not empty list. Option D is not a typical issue.

510
MCQeasy

What is the purpose of Alertmanager in Prometheus?

A.Handle alert notifications
B.Visualize metrics
C.Store long-term metrics
D.Collect metrics from targets
AnswerA

Alertmanager manages alerts and sends notifications.

Why this answer

Alertmanager is the component in the Prometheus ecosystem responsible for handling alerts fired by the Prometheus server. It deduplicates, groups, and routes alerts to configured notification channels such as email, PagerDuty, or Slack, ensuring that operators receive actionable notifications without alert fatigue.

Exam trap

The trap here is that candidates confuse Alertmanager with Prometheus itself, thinking it collects or stores metrics, when in fact it is solely a notification routing and deduplication engine.

How to eliminate wrong answers

Option B is wrong because visualizing metrics is the role of Grafana or the Prometheus expression browser, not Alertmanager. Option C is wrong because long-term metrics storage is handled by remote storage integrations (e.g., Thanos, Cortex) or the Prometheus TSDB itself, not Alertmanager. Option D is wrong because collecting metrics from targets is the function of the Prometheus server via its scrape mechanism, not Alertmanager.

511
MCQeasy

What is the primary purpose of a Kubernetes Service?

A.To provide a stable network endpoint for a set of Pods
B.To manage rolling updates of Pods
C.To schedule Pods onto Nodes
D.To store configuration data for Pods
AnswerA

A Service enables other components to access Pods reliably, even as Pods change.

Why this answer

A Service provides a stable endpoint for a set of Pods, enabling discovery and load balancing across them.

512
MCQmedium

You want to expose a set of pods running on node port 30080 to external traffic. Which Service type should you use?

A.ExternalName
B.LoadBalancer
C.NodePort
D.ClusterIP
AnswerC

NodePort opens a static port on each node's IP.

Why this answer

Option C (NodePort) is correct because a NodePort service exposes the application on a static port (30080) on each node's IP address, making it accessible from outside the cluster via <NodeIP>:30080. This is the appropriate choice when you need to expose pods to external traffic using a specific port number without requiring a cloud load balancer.

Exam trap

The trap here is that candidates confuse NodePort with LoadBalancer, thinking a cloud load balancer is required for external access, but NodePort directly exposes a static port on the node's IP without any cloud dependency.

How to eliminate wrong answers

Option A (ExternalName) is wrong because it maps a service to a DNS name (e.g., an external CNAME record) and does not expose pods or provide any network connectivity to external traffic; it is used for internal DNS aliasing. Option B (LoadBalancer) is wrong because it provisions an external cloud load balancer (e.g., AWS ELB, GCP LB) which assigns a dynamic external IP and port, not a fixed node port like 30080; it is overkill and does not guarantee the specific port. Option D (ClusterIP) is wrong because it exposes the service only on a cluster-internal IP, reachable only from within the cluster, and cannot be accessed from external traffic without additional components like an ingress or proxy.

513
MCQeasy

A container in a pod has been restarted multiple times with 'CrashLoopBackOff' state. What does this indicate?

A.The container is using too much memory
B.The container exits with a non-zero exit code soon after starting
C.The container is running but not responding to health checks
D.The container image cannot be pulled
AnswerB

CrashLoopBackOff occurs when the container fails to stay running.

Why this answer

CrashLoopBackOff means the container is repeatedly crashing after starting, and Kubernetes is backing off from restarting it.

514
MCQeasy

Which CNCF project is commonly used for Infrastructure as Code to provision cloud resources?

A.Terraform
B.Envoy
C.Prometheus
D.CoreDNS
AnswerA

Terraform is an IaC tool, now part of CNCF as a sandbox project.

Why this answer

Terraform is a popular IaC tool for provisioning infrastructure across multiple cloud providers.

515
Multi-Selectmedium

Which THREE of the following are responsibilities of the kube-controller-manager?

Select 3 answers
A.Assigning Pods to Nodes
B.Creating Endpoints objects for Services
C.Monitoring Node health and reacting to Node failures
D.Ensuring the correct number of Pod replicas are running
E.Serving the Kubernetes API
AnswersB, C, D

The Endpoints Controller populates Endpoints objects based on Service selectors.

Why this answer

Option B is correct because the kube-controller-manager includes the EndpointSlice controller (or the legacy Endpoints controller), which is responsible for creating and updating Endpoints (and EndpointSlice) objects to reflect the IP addresses and ports of Pods that match a Service's label selector. This ensures that the Service's DNS or iptables rules point to healthy Pods.

Exam trap

The trap here is that candidates confuse the kube-controller-manager's role in 'managing controllers' with the scheduler's role in 'assigning Pods to nodes', or they mistakenly think the controller-manager serves the API because it interacts with the API server.

516
MCQmedium

A development team deploys a microservice that crashes every few minutes. The deployment uses a single replica, and the pod restarts repeatedly. Which Kubernetes feature should be enabled to ensure the service remains available during failures?

A.Move the deployment to a separate namespace
B.Increase the replicas in the Deployment to at least 2
C.Store the application configuration in a ConfigMap
D.Add a readiness probe to the pod
AnswerB

Increasing replicas allows the ReplicaSet to maintain multiple copies, so if one crashes, others still serve traffic.

Why this answer

Increasing the replicas to at least 2 ensures that if one pod crashes, the other replica(s) can continue serving traffic, maintaining availability. With only a single replica, the service becomes unavailable every time the pod restarts. This is the most direct way to provide redundancy and fault tolerance for a stateless microservice.

Exam trap

The trap here is that candidates often confuse health probes (readiness/liveness) with redundancy; while probes help detect and manage unhealthy pods, they do not provide the multiple running instances needed to maintain availability during a crash.

How to eliminate wrong answers

Option A is wrong because moving the deployment to a separate namespace does not affect pod availability or crash recovery; namespaces are for logical isolation, not high availability. Option C is wrong because storing configuration in a ConfigMap decouples configuration from the container image but does not prevent or recover from pod crashes. Option D is wrong because a readiness probe only controls whether a pod receives traffic; it does not keep the service available if the pod crashes—it merely stops sending traffic to an unhealthy pod, but with a single replica, no other pod exists to handle requests.

517
MCQmedium

What is the primary purpose of the sidecar container in a service mesh?

A.To run application business logic
B.To handle logging and monitoring of the main container
C.To provide persistent storage for the main container
D.To intercept and manage network traffic for the main container
AnswerD

Sidecar proxies handle communication.

Why this answer

In a service mesh, the sidecar container (typically an Envoy or Linkerd proxy) is injected alongside the main application container to intercept and manage all inbound and outbound network traffic. This allows the service mesh to enforce traffic policies, handle service discovery, implement retries and circuit breaking, and collect telemetry without modifying the application code. The sidecar operates at the network layer (L4/L7), decoupling communication concerns from business logic.

Exam trap

CNCF often tests the misconception that the sidecar's primary role is logging and monitoring, but the correct answer is always traffic interception and management, as that is the core architectural purpose of a service mesh sidecar.

How to eliminate wrong answers

Option A is wrong because the sidecar container does not run application business logic; that is the responsibility of the main container. Option B is wrong because while the sidecar can collect telemetry data as a byproduct of traffic interception, its primary purpose is not logging and monitoring—those are separate concerns often handled by dedicated agents or the control plane. Option C is wrong because persistent storage is provided by volumes or CSI drivers, not by sidecar containers, which are ephemeral and focused on network functions.

518
MCQeasy

Which statement accurately describes a key difference between containers and virtual machines?

A.Virtual machines share the host kernel, while containers have their own kernel
B.Both containers and virtual machines require a hypervisor
C.Containers include a full guest operating system
D.Containers share the host OS kernel, while virtual machines include a full guest OS
AnswerD

This is the key difference: containers are lightweight because they share the host kernel.

Why this answer

Containers share the host OS kernel and are lightweight, while VMs include a full guest OS and hypervisor, making them heavier.

519
MCQmedium

A microservice logs errors when connecting to the database. The logs show 'connection refused'. Which troubleshooting step should be taken first?

A.Verify the database Service and Endpoints in Kubernetes
B.Scale up the microservice deployment
C.Restart the microservice pod
D.Check the logs of other microservices
AnswerA

Directly checks if the database service is available.

Why this answer

The 'connection refused' error indicates that the microservice is attempting to connect to a TCP port on the database endpoint, but no process is listening there. In Kubernetes, the first step is to verify that the database Service exists and that its Endpoints object contains the correct pod IPs and port. If the Endpoints are empty or missing, the Service is not routing traffic to any healthy database pod, which directly causes the refusal.

This aligns with the Kubernetes troubleshooting hierarchy: always check the Service and Endpoints before assuming application-level issues.

Exam trap

The trap here is that candidates often jump to restarting the pod or scaling the deployment, assuming the microservice itself is faulty, rather than recognizing that 'connection refused' is a network-level symptom pointing to the target (the database Service/Endpoints) not being available.

How to eliminate wrong answers

Option B is wrong because scaling up the microservice deployment will create more pods that all try to connect to the same unreachable database, multiplying the failure without addressing the root cause. Option C is wrong because restarting the microservice pod will only reattempt the same connection to the same database endpoint, which will still be refused if the database Service or its backing pods are misconfigured. Option D is wrong because checking logs of other microservices is a distraction; the 'connection refused' error is specific to the database connectivity and does not require cross-service log analysis to diagnose.

520
MCQeasy

What is the smallest deployable unit in Kubernetes that can be created, scheduled, and managed?

A.Pod
B.Deployment
C.Node
D.Container
AnswerA

Pods are the atomic unit of deployment in Kubernetes.

Why this answer

A Pod is the smallest deployable unit, encapsulating one or more containers with shared storage and network.

521
MCQeasy

What is Helm's role in Kubernetes?

A.A CI/CD server
B.A package manager for Kubernetes applications
C.A security scanner for container images
D.A monitoring and logging tool
AnswerB

Helm manages charts to define, install, and upgrade applications.

Why this answer

Helm is a package manager that simplifies deploying and managing Kubernetes applications using charts.

522
MCQmedium

An organization uses GitOps with ArgoCD to manage Kubernetes deployments. What is the PRIMARY advantage of this approach over traditional imperative deployment methods?

A.It eliminates the need for any manual approval processes
B.It provides a single source of truth for cluster state through Git
C.It allows developers to directly access the Kubernetes cluster
D.It reduces the number of containers needed in a deployment
AnswerB

GitOps uses Git as the authoritative source for desired state, enabling automated drift correction and audit trails.

Why this answer

Option C is correct. GitOps uses a Git repository as the single source of truth, enabling declarative configuration, version control, and automated reconciliation. Option A is incorrect because GitOps does not necessarily speed up deployments; it focuses on consistency.

Option B is not the primary advantage; multiple teams can still access the cluster. Option D is incorrect because manual approval workflows can still be implemented.

523
MCQhard

An application experiences intermittent failures when calling an external API. Which resilience pattern should be implemented to handle transient faults?

A.Bulkhead
B.Circuit breaker
C.Timeout
D.Retry
AnswerD

Retry handles transient failures by reattempting the operation.

Why this answer

Option D (Retry) is correct because intermittent failures when calling an external API are typically transient faults (e.g., network glitches, temporary service unavailability). The Retry pattern automatically reattempts the failed operation a configured number of times, often with exponential backoff, to overcome these short-lived issues without changing the application's overall architecture. This directly addresses the scenario's requirement to handle transient faults.

Exam trap

CNCF often tests the distinction between handling transient faults (Retry) versus preventing cascading failures (Circuit breaker), leading candidates to choose Circuit breaker when the question explicitly mentions 'intermittent' or 'transient' faults.

How to eliminate wrong answers

Option A is wrong because Bulkhead isolates resources (e.g., thread pools) to prevent failures in one component from cascading, but it does not handle transient faults in API calls. Option B is wrong because Circuit breaker prevents repeated calls to a failing service by opening the circuit after a threshold of failures, which is designed for longer-term outages, not transient faults. Option C is wrong because Timeout sets a maximum wait time for a response but does not retry the call; it only prevents indefinite blocking, leaving the failure unhandled.

524
MCQmedium

A pod is stuck in 'Pending' state. Which of the following is the MOST likely cause?

A.There are no nodes with enough resources to run the pod
B.The pod has been deleted
C.The container image is invalid
D.The pod's liveness probe is failing
AnswerA

Pending often means the scheduler cannot find a suitable node.

Why this answer

A pod stays pending when it cannot be scheduled to a node, typically due to insufficient resources or node selector issues.

525
Multi-Selecteasy

Which TWO of the following are true about container networking basics? (Choose 2)

Select 2 answers
A.Containers can only communicate if they are on the same node
B.Containers on the same host can communicate via a bridge network
C.Each container has its own network namespace
D.Container networking does not require any configuration
E.All containers share the host's IP address
AnswersB, C

A bridge network connects containers to the same L2 network, allowing communication.

Why this answer

Containers use network namespaces to isolate their network stack. Bridge networking is a common way to allow containers on the same host to communicate. Each container does not need its own IP from the host network; they get IPs from the bridge network.

Page 6

Page 7 of 14

Page 8