Kubernetes and Cloud Native Associate KCNA (KCNA) — Questions 601675

997 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
Multi-Selectmedium

Which TWO statements about Kubernetes namespaces are true?

Select 2 answers
A.All Kubernetes objects are namespaced.
B.Namespaces automatically isolate services in different namespaces from communicating.
C.Namespaces provide network isolation between pods by default.
D.Namespaces are used to divide cluster resources between multiple users or teams.
E.Resource quotas can be applied to a namespace to limit aggregate resource consumption.
AnswersD, E

Correct; namespaces provide logical isolation.

Why this answer

Option D is correct because namespaces are a fundamental mechanism in Kubernetes for dividing cluster resources among multiple users or teams, enabling multi-tenancy and resource management through policies like Role-Based Access Control (RBAC) and ResourceQuotas. Option E is correct because ResourceQuotas are Kubernetes objects that can be applied to a namespace to enforce aggregate limits on CPU, memory, and other resources, preventing any single team from exhausting cluster capacity.

Exam trap

The trap here is that candidates confuse namespaces with network isolation, assuming that simply placing resources in different namespaces automatically blocks cross-namespace traffic, when in fact Kubernetes allows all pod-to-pod communication across namespaces by default and requires explicit NetworkPolicy rules to restrict it.

602
MCQhard

Your organization runs a microservices application on a Kubernetes cluster with 5 worker nodes (each with 4 vCPU, 16GB RAM). The application consists of 20 microservices, each deployed as a Deployment with 3 replicas. Recently, after a new microservice 'inventory' was deployed with resource requests of 2 CPU and 4GB memory per pod, the cluster started experiencing pod scheduling failures. Many existing pods are in 'Pending' state with events indicating 'Insufficient cpu' or 'Insufficient memory'. The cluster has cluster autoscaling enabled (node pool ranging from 3 to 10 nodes), but new nodes are not being added quickly enough, and the existing nodes are heavily utilized. You need to resolve the scheduling failures while ensuring the inventory service can scale. Which course of action should you take?

A.Increase the cluster autoscaler max nodes to 20 and set a 0-second scale-up delay.
B.Set resource limits equal to requests for all microservices to guarantee resources.
C.Reduce the CPU request of the inventory deployment to 1 CPU per pod to allow better packing on existing nodes while cluster autoscaler catches up.
D.Delete all pending pods and recreate them manually.
AnswerC

Lowering requests improves packing and reduces pending status immediately.

Why this answer

Option C is correct because reducing the CPU request of the inventory deployment to 1 CPU per pod allows the scheduler to pack pods more efficiently on existing nodes, alleviating immediate 'Insufficient cpu' and 'Insufficient memory' failures while the cluster autoscaler provisions new nodes. This approach balances short-term scheduling needs with the ability to scale the inventory service later, as requests can be adjusted upward once the cluster has more capacity.

Exam trap

The trap here is that candidates may think increasing cluster autoscaler limits or setting limits equal to requests will solve the problem, but they overlook that the autoscaler cannot instantaneously add nodes and that setting limits does not free up existing resources, while reducing requests directly addresses the immediate scheduling bottleneck.

How to eliminate wrong answers

Option A is wrong because increasing the cluster autoscaler max nodes to 20 and setting a 0-second scale-up delay does not address the immediate scheduling failures; the autoscaler cannot add nodes instantly due to cloud provider provisioning latency, and the existing nodes are already heavily utilized, so pods will remain pending. Option B is wrong because setting resource limits equal to requests for all microservices does not free up resources; it only prevents bursting, which does not resolve the existing resource shortage on the nodes. Option D is wrong because deleting all pending pods and recreating them manually does not change the underlying resource constraints; the scheduler will still fail to place them due to insufficient CPU and memory on the nodes.

603
MCQmedium

According to the 12-factor app methodology, how should an application store configuration that varies between deployments (e.g., database connection strings)?

A.In a configuration file that is version-controlled
B.In a database table
C.In environment variables
D.Hard-coded in the application code
AnswerC

Environment variables provide a clean separation and are easy to change per deployment.

Why this answer

The 12-factor app recommends strict separation of config from code, storing config in environment variables.

604
MCQhard

A developer creates a Deployment with replicas: 3 and strategy type: RollingUpdate with maxSurge: 1 and maxUnavailable: 1. During a rolling update, the Deployment controller creates a new ReplicaSet. After the new ReplicaSet has 2 pods ready, the node running one of the original ReplicaSet's pods fails. What is the MOST likely number of total pods running after the node failure, assuming no other actions?

A.2 pods running
B.4 pods running
C.3 pods running
D.1 pod running
AnswerA

Before node failure: old ReplicaSet scaled down to 1, new up to 2 (total 3). Node failure kills the old pod, leaving 2 new pods running.

Why this answer

Option B is correct. Initially 3 old pods. maxSurge=1 allows up to 4 total pods. maxUnavailable=1 allows at least 2 available pods. After new ReplicaSet has 2 ready, controller would have scaled down old ReplicaSet to 1 (making total 3: 2 new + 1 old).

Node failure kills the old pod. New ReplicaSet remains at 2. Total running = 2 (both new).

Option A would only happen if no old pods were killed. Option C would require both old pods still running. Option D would be too many.

605
MCQmedium

A developer wants to run a stateless web application with 5 replicas and ensure that when a new version is released, Pods are updated one by one with no downtime. Which Kubernetes resource is best suited?

A.Job
B.DaemonSet
C.StatefulSet
D.Deployment
AnswerD

Deployment manages replicas and supports rolling updates.

Why this answer

Deployment with a RollingUpdate strategy is ideal for stateless applications requiring zero-downtime updates.

606
MCQmedium

Which CNCF project is at the 'Graduated' maturity level and is widely used for container orchestration?

A.Kubernetes
B.Prometheus
C.Envoy
D.Helm
AnswerA

Kubernetes is the first graduated CNCF project.

Why this answer

Kubernetes is the correct answer because it is the only CNCF project at the 'Graduated' maturity level that is specifically designed and widely adopted for container orchestration. It automates deployment, scaling, and management of containerized applications, making it the de facto standard in cloud-native environments.

Exam trap

CNCF often tests the distinction between a project's maturity level and its function, so the trap here is that candidates may assume any popular CNCF project (like Prometheus or Envoy) is used for orchestration, when in fact only Kubernetes fulfills that specific role at the Graduated level.

How to eliminate wrong answers

Option B (Prometheus) is wrong because, although it is a Graduated CNCF project, it is a monitoring and alerting toolkit, not a container orchestration platform. Option C (Envoy) is wrong because it is a Graduated CNCF project but functions as a high-performance proxy and service mesh data plane, not an orchestrator. Option D (Helm) is wrong because it is a package manager for Kubernetes (Incubating maturity level), not a container orchestration tool itself.

607
Multi-Selecteasy

Which TWO of the following are characteristics of a Kubernetes Pod?

Select 2 answers
A.Pods can only run a single container
B.Pods are the smallest deployable units in Kubernetes
C.Containers within a Pod share the same network namespace
D.Pods are designed to be long-lived and rarely replaced
E.Pods are typically replicated by a Deployment or ReplicaSet
AnswersB, C

Pods are the atomic unit of scheduling.

Why this answer

B is correct because Pods are the smallest and most fundamental deployable units in Kubernetes, representing a single instance of a running process in the cluster. A Pod encapsulates one or more containers, storage resources, and a unique network IP, and is the atomic unit of scheduling. This is defined in the Kubernetes core API and is a foundational concept for the KCNA exam.

Exam trap

CNCF often tests the misconception that Pods are long-lived or that they can only run a single container, confusing Pods with virtual machines or containers themselves, while the key exam point is that Pods are the smallest deployable unit and share network namespaces.

608
Matchingmedium

Match each Kubernetes command (kubectl) to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

List one or more resources

Show detailed state of a resource

Create or update resources from a file or stdin

Execute a command inside a container

Print logs from a container in a pod

Why these pairings

These are essential kubectl commands for daily operations.

609
Multi-Selecthard

Which TWO of the following are true about service discovery in Kubernetes? (Choose 2)

Select 2 answers
A.Ingress resources can be used for internal service discovery
B.Service discovery is only available for pods on the same node
C.Environment variables are injected into pods for each Service
D.Services are assigned a DNS name in the form <service>.<namespace>.svc.cluster.local
E.Headless Services provide a stable virtual IP for service discovery
AnswersC, D

When a pod starts, environment variables are set for each active Service.

Why this answer

Kubernetes provides DNS-based service discovery, where Services get DNS names resolved by CoreDNS. Services also have environment variables injected into pods. Headless Services do not provide a single IP; they return the pod IPs.

Ingress is for external traffic, not internal service discovery.

610
MCQhard

A team wants to deploy a stateful application that requires each pod to have a unique, stable network identity and persistent storage that persists across rescheduling. Which Kubernetes resource is most appropriate?

A.DaemonSet
B.Deployment
C.StatefulSet
D.Job
AnswerC

StatefulSet gives each pod a sticky identity and can manage persistent storage per pod.

Why this answer

StatefulSet provides stable network identities and persistent storage for stateful applications.

611
MCQmedium

You run 'kubectl get pods' and see a pod with status 'Pending'. Which is the most likely cause?

A.The pod's container has crashed
B.The scheduler cannot find a node that meets the pod's resource requirements
C.The container image is not found
D.The pod has been deleted by a controller
AnswerB

Pending often means the scheduler is unable to place the pod due to resource constraints.

Why this answer

A Pending pod usually indicates scheduling issues, such as insufficient resources or node constraints.

612
MCQhard

Which of the following correctly describes the concept of 'immutable infrastructure' in the context of container orchestration?

A.Infrastructure components are recreated from a known good state rather than modified
B.Configuration changes are applied via SSH into running containers
C.Servers are never rebooted
D.Container images are updated in-place by patching existing layers
AnswerA

This is the core idea of immutability.

Why this answer

Immutable infrastructure means that once a container image is built, it is never modified; updates are done by replacing the entire container with a new image.

613
MCQhard

A cluster administrator wants to ensure that a specific pod only runs on nodes that have an SSD for local storage. The nodes with SSDs have the label 'disk-type: ssd'. How should the administrator configure the pod to enforce this constraint?

A.Add a toleration for node.kubernetes.io/disk-type: ssd
B.Add a nodeSelector with 'disk-type: ssd' to the pod spec
C.Use a readiness probe to check for SSD
D.Add an annotation 'disk-type: ssd' to the pod
AnswerB

nodeSelector is the simplest way to constrain a pod to nodes with specific labels.

Why this answer

Option B is correct because the `nodeSelector` field in a Pod spec is the standard Kubernetes mechanism for constraining a Pod to run only on nodes that match specific labels. By setting `nodeSelector: { disk-type: ssd }`, the scheduler will ensure the Pod is placed exclusively on nodes with that label, enforcing the administrator's requirement.

Exam trap

The trap here is that candidates confuse tolerations (for taints) with node selectors (for labels), or think annotations or probes can influence scheduling, when only `nodeSelector` or node affinity directly control node placement based on labels.

How to eliminate wrong answers

Option A is wrong because tolerations are used to allow Pods to run on nodes with taints, not to select nodes based on labels; a toleration for `node.kubernetes.io/disk-type: ssd` would be meaningless as this is not a well-known taint key. Option C is wrong because a readiness probe checks whether a container is ready to serve traffic, not the hardware characteristics of the node; it cannot enforce node selection. Option D is wrong because annotations are metadata for non-identifying information and are not used by the scheduler for node placement decisions.

614
MCQeasy

What is the purpose of a circuit breaker pattern in microservices?

A.To distribute traffic across multiple instances
B.To stop cascading failures by preventing calls to a failing service
C.To encrypt communication between services
D.To automatically retry failed requests
AnswerB

The circuit breaker opens when failures reach a threshold, stopping calls and allowing the service to recover.

Why this answer

The circuit breaker pattern prevents an application from repeatedly trying to execute an operation that is likely to fail, allowing it to recover gracefully.

615
Multi-Selecthard

Which THREE of the following practices are essential for a secure cloud native CI/CD pipeline?

Select 3 answers
A.Sign container images and verify signatures during deployment
B.Store secrets in plain text in the pipeline configuration
C.Use a single long-lived service account for all pipeline steps
D.Scan container images for vulnerabilities before deployment
E.Apply least-privilege IAM roles to pipeline components
AnswersA, D, E

Ensures image integrity and authenticity.

Why this answer

Signing container images (e.g., using Cosign or Notary) and verifying those signatures during deployment ensures that only trusted, unmodified images are deployed, preventing supply chain attacks. This practice enforces image integrity and provenance, which is a core security requirement for cloud native CI/CD pipelines.

Exam trap

CNCF often tests the misconception that storing secrets in plain text is acceptable if the pipeline is 'internal' or 'trusted,' but the KCNA exam emphasizes that secrets must never be stored in plain text in any CI/CD configuration.

616
Multi-Selectmedium

Which TWO of the following are core principles of the 12-factor app? (Choose 2.)

Select 2 answers
A.Shared state
B.Manual deployment
C.Dependencies
D.Singleton processes
E.Config
AnswersC, E

Why this answer

The 12-factor app includes principles such as explicit dependency declaration (Dependencies) and strict separation of config from code (Config).

617
MCQmedium

A Pod is stuck in 'Pending' state. Which command is most helpful to diagnose the issue?

A.kubectl logs my-pod
B.kubectl get events
C.kubectl describe pod my-pod
D.kubectl top pod my-pod
AnswerC

This shows events and status conditions that indicate why the Pod is pending (e.g., insufficient resources).

Why this answer

Option C is correct because 'kubectl describe pod my-pod' provides detailed information about the pod's current state, including events, conditions, and resource constraints. When a pod is stuck in 'Pending', it typically means the scheduler cannot place it on a node due to issues like insufficient CPU/memory, persistent volume claims not being bound, or node selector mismatches. The 'describe' command surfaces these specific reasons in the 'Events' section and 'Conditions' field, making it the most direct diagnostic tool.

Exam trap

CNCF often tests the misconception that 'kubectl logs' is the universal debugging command, but for pending pods, logs are unavailable because containers haven't started, making 'kubectl describe' the correct choice for pre-run failures.

How to eliminate wrong answers

Option A is wrong because 'kubectl logs my-pod' retrieves container logs, but a pod in 'Pending' state has not started any containers yet, so there are no logs to fetch; this command is useful only after the pod is running. Option B is wrong because 'kubectl get events' shows cluster-wide events, which can be noisy and may not filter to the specific pod; while it can include scheduling failures, it lacks the pod-specific context and resource details that 'describe' provides. Option D is wrong because 'kubectl top pod my-pod' shows real-time resource usage metrics, which are only available for running pods; a pending pod has no resource consumption data to report.

618
MCQmedium

A developer created a Deployment with image 'myapp:v1' and then ran 'kubectl set image deployment/myapp myapp=myapp:v2'. What is the effect of this command?

A.It updates the Service selector to point to pods with the new image.
B.It updates the Deployment's pod template to use the new image, triggering a rolling update.
C.It creates a new Deployment named 'v2' with the new image.
D.It immediately restarts all pods with the new image.
AnswerB

The command modifies the Deployment's container image, initiating a rolling update.

Why this answer

The `kubectl set image deployment/myapp myapp=myapp:v2` command updates the pod template within the Deployment's specification to use the new image `myapp:v2`. This change triggers a rolling update, where the Deployment controller creates new pods with the updated image and gradually terminates old pods, ensuring zero downtime. The command does not affect Services, create new Deployments, or restart pods immediately without a rolling update strategy.

Exam trap

CNCF often tests the distinction between updating a Deployment's pod template (which triggers a rolling update) versus directly restarting pods or modifying Services, leading candidates to mistakenly think the command affects Service selectors or creates a new Deployment.

How to eliminate wrong answers

Option A is wrong because `kubectl set image` only modifies the Deployment's pod template; it does not update Service selectors, which are used to route traffic to pods based on labels, not image versions. Option C is wrong because the command updates the existing Deployment's pod template in place, not creating a new Deployment; Kubernetes Deployments are versioned through their pod template changes, not by creating separate Deployment objects. Option D is wrong because the command does not immediately restart all pods; it updates the desired state in the Deployment's pod template, and the Deployment controller performs a rolling update according to the `strategy` field (defaulting to RollingUpdate), which gradually replaces pods rather than restarting them all at once.

619
MCQeasy

Which Kubernetes component is responsible for maintaining the desired state of the cluster by running controller loops?

A.kube-controller-manager
B.etcd
C.kube-apiserver
D.kube-scheduler
AnswerA

The kube-controller-manager runs controller processes that reconcile the actual state with the desired state.

Why this answer

The kube-controller-manager is the component that runs controller loops to regulate the state of the cluster. Each controller (e.g., Node Controller, Replication Controller) watches the shared state via the API server and makes changes to drive the actual cluster state toward the desired state defined in the control plane. This is the core mechanism for self-healing and maintaining declarative configuration.

Exam trap

CNCF often tests the misconception that the API server (kube-apiserver) is responsible for maintaining desired state because it is the central hub, but the API server only serves the API and stores state in etcd, while the actual reconciliation is done by the controller-manager's loops.

How to eliminate wrong answers

Option B (etcd) is wrong because etcd is a distributed key-value store used for cluster data persistence, not for running controller loops; it stores the desired and current state but does not reconcile them. Option C (kube-apiserver) is wrong because the API server is the front-end for the Kubernetes control plane that validates and processes RESTful requests, but it does not execute controller logic or maintain desired state through loops. Option D (kube-scheduler) is wrong because the scheduler is responsible for assigning pods to nodes based on resource availability and constraints, not for running controller loops to maintain desired state.

620
MCQhard

A developer creates a Deployment with the following YAML snippet: ```yaml apiVersion: apps/v1 kind: Deployment spec: replicas: 3 selector: matchLabels: app: frontend template: metadata: labels: app: frontend spec: containers: - name: nginx image: nginx:1.21 ``` What will happen if the label 'app: frontend' is omitted from the pod template's metadata?

A.The Deployment will fail to create because the selector and template labels mismatch
B.The Deployment will create pods with a random label
C.The pods will be created but will not be part of the Deployment
D.The pods will be created but will not have networking
AnswerA

Kubernetes requires the pod template's labels to match the selector; otherwise, the API rejects the deployment.

Why this answer

The Deployment's selector requires that the pod template has matching labels. Without them, the Deployment will fail validation or not manage any pods.

621
MCQeasy

Which Kubernetes object is used to logically isolate resources within a cluster, such as for separating environments like dev and prod?

A.ClusterRole
B.ResourceQuota
C.Node
D.Namespace
AnswerD

Namespaces partition the cluster into virtual sub-clusters.

Why this answer

D is correct because a Namespace is the Kubernetes object designed to logically isolate resources within a single cluster. By creating separate Namespaces for environments like dev and prod, you can apply distinct policies, quotas, and access controls without needing multiple physical clusters.

Exam trap

The trap here is that candidates often confuse Namespaces with other cluster-scoped or resource-limiting objects, mistakenly thinking a ClusterRole or ResourceQuota can provide logical isolation, when in fact Namespaces are the fundamental building block for environment separation.

How to eliminate wrong answers

Option A is wrong because a ClusterRole is a cluster-scoped RBAC object that defines permissions across the entire cluster, not a mechanism for isolating resources or environments. Option B is wrong because a ResourceQuota is an object that sets hard limits on resource consumption (e.g., CPU, memory) within a specific Namespace, but it does not itself create logical isolation or separate environments. Option C is wrong because a Node is a worker machine (physical or virtual) that runs Pods; it is a compute resource, not an object for logically separating environments within a cluster.

622
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Increase the memory limit in the pod's container resource specification
C.Delete and recreate the pod to clear the crash loop
D.Delete the namespace and redeploy all workloads
AnswerB

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The OOMKilled status indicates the container was terminated because it exceeded its memory limit. The most appropriate action is to increase the memory limit in the pod's container resource specification, which allows the container to use more memory without being killed by the Out-Of-Memory (OOM) killer. This resolves the root cause by providing sufficient memory for the workload.

Exam trap

The trap here is that candidates confuse CPU and memory resource management, assuming increasing CPU requests can resolve memory-related OOM kills, or they opt for a destructive restart instead of adjusting the resource specification.

How to eliminate wrong answers

Option A is wrong because increasing the CPU request does not address memory exhaustion; CPU and memory are independent resources, and OOMKilled is triggered by memory limits, not CPU. Option C is wrong because deleting and recreating the pod only restarts the container with the same resource limits, so it will immediately crash again due to the same memory constraint. Option D is wrong because deleting the entire namespace and redeploying all workloads is an extreme, unnecessary action that disrupts all other workloads and does not fix the underlying memory limit issue.

623
Multi-Selecthard

Which THREE of the following are valid ways to assign a pod to a specific node? (Choose three.)

Select 3 answers
A.Setting the 'nodeName' field in the pod spec
B.Using 'affinity' with 'nodeAffinity' rules
C.Using 'nodeSelector' with label matching
D.Using a ServiceAccount
E.Setting the 'clusterName' field
AnswersA, B, C

Directly assigns the pod to a node.

Why this answer

nodeName, nodeSelector, and node affinity are all mechanisms to schedule pods on specific nodes.

624
MCQmedium

An application deployment in Kubernetes uses a Deployment object. During a rolling update, the new ReplicaSet fails to become healthy. What is the default behavior of the Deployment controller?

A.It continues the rollout, ignoring the health check failures
B.It automatically rolls back to the previous revision
C.It scales down the old ReplicaSet to zero
D.It pauses the rollout and keeps the old ReplicaSet running
AnswerD

By default, the Deployment controller will pause the rollout, leaving the old ReplicaSet active.

Why this answer

By default, the Deployment controller will stop the rollout if the new pods are unhealthy, and the old ReplicaSet remains running.

625
MCQeasy

In the context of the 12-factor app methodology, which factor emphasizes storing configuration in environment variables?

A.Backing services
B.Dependencies
C.Config
D.Codebase
AnswerC

Config is the factor that recommends storing configuration in environment variables.

Why this answer

Factor III of the 12-factor app methodology states that config should be stored in environment variables to keep it separate from code.

626
MCQeasy

What is the primary difference between a container and a virtual machine (VM)?

A.Containers are slower to start than VMs
B.Containers provide stronger isolation than VMs
C.VMs are more portable than containers
D.Containers share the host OS kernel, whereas VMs include a full guest OS
AnswerD

This is the fundamental difference. Containers virtualize the OS, while VMs virtualize the hardware.

Why this answer

Containers share the host OS kernel, while VMs include a full guest OS. This makes containers more lightweight and portable.

627
MCQmedium

A team wants to ensure that at least 99.9% of all requests to their application complete within 500ms over a 30-day window. How should this requirement be classified?

A.Service Level Agreement (SLA)
B.Service Level Objective (SLO)
C.Service Level Indicator (SLI)
D.Key Performance Indicator (KPI)
AnswerB

Correct. This is an internal target for reliability.

Why this answer

An SLO is a target level of reliability, expressed as a percentage of a metric over a time window.

628
MCQhard

A company uses Prometheus for monitoring and wants to alert when the average CPU usage over 5 minutes exceeds 80%. Which PromQL query would correctly define this alert rule?

A.avg(rate(node_cpu_seconds_total{mode="idle"}[5m])) > 0.8
B.avg(node_cpu_seconds_total{mode!="idle"}[5m]) > 0.8
C.avg(rate(node_cpu_seconds_total{mode!="idle"}[5m])) > 0.8
D.sum(rate(node_cpu_seconds_total{mode!="idle"}[5m])) > 0.8
AnswerC

Correct. This calculates the average non-idle (usage) rate over 5 minutes and checks if >80%.

Why this answer

The query should calculate the average CPU usage rate over 5 minutes and compare it to 0.8 (80%).

629
MCQeasy

Which CNCF project maturity level indicates that a project has successfully adopted the CNCF governance and is considered stable for production use?

A.Incubating
B.Experimental
C.Graduated
D.Sandbox
AnswerC

Graduated is the highest level, indicating production readiness.

Why this answer

The Graduated maturity level is the highest in the CNCF project lifecycle, indicating that a project has successfully adopted CNCF governance, demonstrated long-term stability, and is considered safe for production use. This requires meeting rigorous criteria including adoption by multiple end users, a defined governance structure, and completion of a security audit.

Exam trap

CNCF often tests the distinction between Sandbox and Incubating, where candidates mistakenly think Sandbox implies production readiness, but Sandbox is explicitly for early-stage projects that have not yet demonstrated stability or adopted full CNCF governance.

How to eliminate wrong answers

Option A is wrong because Incubating is an intermediate stage where projects have shown initial adoption and are working toward graduation, but they are not yet considered fully stable for production use. Option B is wrong because Experimental is not a CNCF maturity level; the CNCF uses Sandbox, Incubating, and Graduated, while Experimental is a term used by other foundations or early-stage projects outside the CNCF. Option D is wrong because Sandbox is the entry-level stage for early-stage projects that are not yet ready for production use and have not fully adopted CNCF governance.

630
MCQhard

A Deployment has a strategy of RollingUpdate with maxSurge=1 and maxUnavailable=0. The Deployment manages 3 replicas. The image is updated. What happens during the update?

A.All 3 new Pods are created, and then the old ones are terminated all at once
B.One new Pod is created, and once it is ready, one old Pod is terminated. This repeats until all Pods are updated.
C.All 3 old Pods are terminated simultaneously before new ones start
D.The update fails because maxUnavailable cannot be 0
AnswerB

This matches the rolling update behavior with maxSurge=1 and maxUnavailable=0.

Why this answer

With maxUnavailable=0, no Pod can be unavailable during update. With maxSurge=1, one extra Pod can be created, so a new Pod is created first, then an old one is terminated, ensuring all 3 replicas are always available.

631
MCQeasy

In a CI/CD pipeline, what is the difference between continuous delivery and continuous deployment?

A.Continuous delivery requires manual approval for production deployment; continuous deployment automates it
B.Continuous delivery automatically deploys to production; continuous deployment does not
C.There is no difference; the terms are used interchangeably
D.Continuous deployment runs tests; continuous delivery does not
AnswerA

That is the key distinction.

Why this answer

Continuous delivery ensures code is always in a deployable state but requires manual approval for production deployment. Continuous deployment automatically deploys every change to production without manual intervention.

632
Multi-Selectmedium

Which THREE of the following are important security practices in a container image CI/CD pipeline?

Select 3 answers
A.Hardcoding credentials in the image
B.Running containers as root user
C.Signing images to ensure integrity
D.Using minimal base images to reduce attack surface
E.Scanning images for vulnerabilities in the CI pipeline
AnswersC, D, E

Image signing verifies the image was produced by a trusted source.

Why this answer

Image scanning, signing, and using minimal base images are key security practices. Hardcoding credentials and running containers as root are anti-patterns.

633
MCQeasy

What is the purpose of a Kubernetes Service?

A.To provide a stable endpoint for a set of pods
B.To store configuration data as key-value pairs
C.To manage rolling updates of container images
D.To schedule pods onto nodes
AnswerA

Services abstract access to pods and provide load balancing.

Why this answer

A Service provides a stable IP address and DNS name to access a set of pods, enabling load balancing and service discovery.

634
MCQmedium

Which of the following is a valid use case for a DaemonSet?

A.Running a batch job that must complete once
B.Running a stateless web application with multiple replicas
C.Running a stateful application with persistent storage
D.Running a logging agent on every node
AnswerD

DaemonSet ensures the agent runs on each node.

Why this answer

DaemonSet ensures that a copy of a pod runs on all (or some) nodes, commonly used for cluster-wide services like log collection or monitoring agents.

635
MCQhard

A team uses Helm to manage a complex application. They want to perform a release upgrade but keep a record of the previous release so they can roll back if needed. Which Helm command should they use?

A.helm delete --purge
B.helm upgrade --history-max 5
C.helm rollback
D.helm install
AnswerB

This upgrades the release and keeps the last 5 revisions, allowing rollback. It retains history.

Why this answer

The 'helm upgrade' command with the '--history-max' flag sets the maximum number of release versions to retain. Without this flag, old versions are kept by default, allowing rollback. Alternatively, 'helm upgrade' alone maintains history; 'helm rollback' is used later.

But the question asks which command to use for the upgrade while keeping history. 'helm upgrade' naturally keeps history unless '--history-max' is set to 0.

636
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Pod
B.Node
C.Deployment
D.Container
AnswerA

A Pod represents a single instance of a running process.

Why this answer

A Pod is the smallest and simplest unit in the Kubernetes object model.

637
Multi-Selecthard

Which THREE of the following are valid attributes in a Kubernetes Pod specification? (Select 3)

Select 3 answers
A.volumes
B.ports
C.clusterIP
D.nodeSelector
E.containers
AnswersA, D, E

The 'volumes' field defines storage volumes that can be mounted by containers.

Why this answer

Options A, C, and D are correct. 'containers' defines the list of containers in the Pod, 'volumes' defines volumes that can be mounted by containers, and 'nodeSelector' constrains which nodes the Pod can run on. Option B is incorrect because 'ports' is not a top-level field; ports are defined within containers. Option E is incorrect because 'clusterIP' is an attribute of a Service, not a Pod.

638
Multi-Selecteasy

Which TWO of the following are key principles of cloud native architecture?

Select 2 answers
A.Immutable infrastructure
B.Infrastructure automation
C.Microservices
D.Monolithic design
E.Manual scaling
AnswersB, C

Automation is essential for managing dynamic cloud environments.

Why this answer

Infrastructure automation (B) is a key principle of cloud native architecture because it enables consistent, repeatable, and error-free provisioning and management of infrastructure through code (e.g., Terraform, AWS CloudFormation, Ansible). This aligns with the cloud native goal of reducing manual toil and enabling rapid, reliable deployments. Microservices (C) is also a core principle, as it structures applications as a collection of loosely coupled, independently deployable services that can be scaled and updated individually, which is fundamental to cloud native agility and resilience.

Exam trap

CNCF often tests the distinction between 'key principles' (like microservices and automation) and 'operational patterns' (like immutable infrastructure), leading candidates to select immutable infrastructure as a principle when it is actually a best practice derived from those principles.

639
MCQeasy

What is the OCI (Open Container Initiative) responsible for?

A.Hosting public container images
B.Providing a default container runtime for Kubernetes
C.Managing container orchestration
D.Defining standards for container images and runtimes
AnswerD

The OCI maintains the Image Spec and Runtime Spec to ensure container compatibility.

Why this answer

The Open Container Initiative (OCI) is a Linux Foundation project that defines open industry standards for container image formats and container runtimes. Its two main specifications are the OCI Image Spec (which standardizes the container image layout, including layers and manifests) and the OCI Runtime Spec (which defines the lifecycle and configuration for running containers). This ensures interoperability between different container tools and platforms, such as Docker, Podman, and containerd.

Exam trap

CNCF often tests the misconception that the OCI is a tool or platform (like a registry or runtime) rather than a standards body, leading candidates to confuse it with Docker Hub or containerd.

How to eliminate wrong answers

Option A is wrong because hosting public container images is the role of container registries like Docker Hub, Quay.io, or Google Container Registry, not the OCI. Option B is wrong because providing a default container runtime for Kubernetes is not the OCI's responsibility; Kubernetes uses container runtimes like containerd or CRI-O, which may implement OCI specs but are not provided by the OCI itself. Option C is wrong because managing container orchestration is the function of orchestrators like Kubernetes, Docker Swarm, or Nomad, not the OCI, which focuses solely on standardization.

640
Multi-Selecthard

Which TWO of the following are valid reasons that a PersistentVolumeClaim (PVC) may remain in 'Pending' state?

Select 2 answers
A.The pod that references the PVC is not scheduled yet
B.No PersistentVolume exists that matches the PVC's storage class and size requirements
C.The PVC is using a StorageClass that does not exist
D.The PVC's access mode is 'ReadWriteMany' but the underlying storage only supports 'ReadWriteOnce'
E.The cluster's dynamic provisioner is unavailable or misconfigured
AnswersB, E

If there is no available PV that satisfies the PVC's spec, the PVC will remain Pending until a matching PV is created.

Why this answer

A PVC stays Pending if no matching PV exists that satisfies its requirements (storage class, access mode, size) or if there are insufficient resources on available nodes to bind the PV. The PV must be manually bound or dynamically provisioned.

641
MCQmedium

A user reports that they can access a service by its ClusterIP but not by its DNS name from within the cluster. What is the most likely cause?

A.The CoreDNS pod is not running or is misconfigured
B.The kube-proxy is not running on the node
C.The service is of type NodePort
D.The service selector does not match any pods
AnswerA

CoreDNS provides DNS resolution for services; if it's down, DNS names will not resolve.

Why this answer

CoreDNS is the cluster DNS component; if it is not running or misconfigured, DNS name resolution fails while direct IP access works.

642
MCQhard

A developer deploys a CronJob that runs a batch job every 5 minutes. After a while, they notice that the job fails with 'DeadlineExceeded' and the pod is stuck in 'PodInitializing' state. What is the most likely reason?

A.A pre-existing InitContainer is failing or stuck
B.The CronJob schedule is misconfigured
C.The container runtime is not installed on the node
D.The job's backoffLimit is set too low
AnswerA

A stuck InitContainer prevents the main container from starting, causing the pod to remain in PodInitializing. If the job's activeDeadlineSeconds passes, the job is terminated with DeadlineExceeded.

Why this answer

The 'PodInitializing' state indicates that the pod is stuck before its main containers can start, which is typically caused by an InitContainer that is failing or hanging. Since the job fails with 'DeadlineExceeded', the pod's activeDeadlineSeconds (or the CronJob's startingDeadlineSeconds) has been reached while the InitContainer is still running, preventing the main container from executing. This is the most likely reason because InitContainers run sequentially to completion before any main containers start, and a stuck InitContainer blocks the entire pod lifecycle.

Exam trap

CNCF often tests the distinction between 'PodInitializing' (caused by InitContainers or image pull issues) and 'ContainerCreating' (caused by container runtime or volume mount problems), leading candidates to incorrectly blame the container runtime or schedule misconfiguration.

How to eliminate wrong answers

Option B is wrong because a misconfigured CronJob schedule (e.g., wrong cron expression) would cause the job to run at incorrect times or not at all, but it would not cause a pod to be stuck in 'PodInitializing' with a 'DeadlineExceeded' error. Option C is wrong because if the container runtime were not installed on the node, the pod would likely remain in 'Pending' state (with an event like 'FailedCreatePodSandBox') rather than reaching 'PodInitializing', and the kubelet would report a runtime error. Option D is wrong because a low backoffLimit affects the number of retries after a job fails (e.g., if the main container exits with non-zero), but it does not cause a pod to be stuck in 'PodInitializing'; the 'DeadlineExceeded' error here is about the pod's active deadline, not the retry limit.

643
MCQmedium

An application requires that a specific set of pods be placed on nodes labeled with 'gpu=true'. Which Kubernetes field should be used in the pod spec to enforce this?

A.nodeSelector
B.topologySpreadConstraints
C.affinity.nodeAffinity
D.tolerations
AnswerA

nodeSelector matches the pod to nodes that have the specified label (e.g., gpu=true).

Why this answer

NodeSelector is the simplest way to constrain pods to nodes with specific labels.

644
MCQmedium

Which component runs on every worker node and ensures that containers are running in a Pod as specified in the Pod manifest?

A.kube-controller-manager
B.container runtime
C.kubelet
D.kube-proxy
AnswerC

The kubelet communicates with the API server and ensures containers are healthy.

Why this answer

The kubelet is the agent that runs on each node and manages the lifecycle of containers based on PodSpecs.

645
MCQhard

A developer creates a Service of type ClusterIP in namespace 'default'. They attempt to reach the Service from another pod in the same namespace using the Service name 'my-svc'. The connection fails. What is the most likely cause?

A.The Service port does not match the container port
B.The cluster DNS service (CoreDNS) is not running or misconfigured
C.The Service type should be NodePort
D.The Service selector does not match any pod labels
AnswerB

DNS is required for Service name resolution.

Why this answer

ClusterIP Services are only accessible within the cluster via DNS. If DNS resolution is not working, the pod cannot resolve the Service name.

646
MCQmedium

A developer creates a Deployment with 'replicas: 3'. After applying the manifest, only 2 pods are running. Which command would help identify why the third pod was not created?

A.kubectl logs deployment/my-deployment
B.kubectl get pods -o wide
C.kubectl get events --all-namespaces
D.kubectl describe deployment my-deployment
AnswerD

This command shows deployment events and status that reveal issues.

Why this answer

'kubectl describe deployment' shows events and status conditions that explain why a pod might not have been created.

647
Matchingmedium

Match each CNCF project to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monitoring and alerting toolkit

High-performance proxy for service mesh

Package manager for Kubernetes

Distributed key-value store for cluster state

DNS server for service discovery in Kubernetes

Why these pairings

These are graduated CNCF projects commonly used in cloud native environments.

648
MCQhard

A pod is in CrashLoopBackOff state. 'kubectl logs pod' shows 'Error: cannot connect to database at db-service:5432'. The database Service exists and is reachable from other pods. What is the most likely cause?

A.The kube-proxy is not functioning
B.The pod's resource limits are too low
C.The database pod is not running
D.The application's configuration has incorrect database connection details
AnswerD

Why this answer

The error indicates the application cannot connect to the database. Since other pods can reach the database, the issue is specific to this pod. A common cause is that the pod's configuration (e.g., environment variables, config file) contains wrong connection details, such as incorrect service name, port, or credentials.

649
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To host and nurture open source cloud native projects
B.To develop proprietary cloud software
C.To certify individuals in cloud technologies
D.To provide commercial support for Kubernetes
AnswerA

The CNCF hosts projects like Kubernetes, Prometheus, and others to advance cloud native technologies.

Why this answer

The CNCF's mission is to make cloud native computing ubiquitous by fostering and sustaining open source projects that follow cloud native principles.

650
MCQeasy

Which command would you use to view the current state of all Pods in the default namespace?

A.kubectl describe pods
B.kubectl get pods
C.kubectl list pods
D.kubectl show pods
AnswerB

This retrieves and displays the list of Pods.

Why this answer

The 'kubectl get pods' command lists Pods in the current namespace (default if not specified).

651
Multi-Selectmedium

Which TWO of the following are true about Kubernetes Pods?

Select 2 answers
A.A Pod always runs exactly one container
B.Pods are automatically rescheduled if a node fails
C.A Pod is the smallest deployable unit in Kubernetes
D.Containers within the same Pod share the same network namespace
E.Pods are directly created by the kube-scheduler
AnswersC, D

Pods are the smallest and simplest Kubernetes object.

Why this answer

Option C is correct because a Pod is the smallest and most basic deployable unit in Kubernetes. It represents a single instance of a running process and encapsulates one or more containers, storage resources, and a unique network IP. You cannot deploy a container directly; you must always wrap it in a Pod.

Exam trap

The trap here is that candidates confuse the Pod's ability to run multiple containers with the requirement to run exactly one, or they mistakenly think the scheduler creates Pods instead of only assigning them to nodes.

652
MCQhard

An application requires that a pod must not be scheduled on the same node as another pod from the same Deployment. Which configuration should be used?

A.Node affinity with requiredDuringSchedulingIgnoredDuringExecution
B.Pod affinity with a preferredDuringSchedulingIgnoredDuringExecution
C.Pod anti-affinity with requiredDuringSchedulingIgnoredDuringExecution and topologyKey: kubernetes.io/hostname
D.Taints and tolerations
AnswerC

This ensures the scheduler does not place two pods from the same deployment on the same node.

Why this answer

Pod anti-affinity with a requiredDuringSchedulingIgnoredDuringExecution rule and a topologyKey of 'kubernetes.io/hostname' ensures that pods are not co-located on the same node.

653
Multi-Selecthard

Which THREE of the following are benefits of using a service mesh? (Select three.)

Select 3 answers
A.Automatic scaling of pods
B.Increased application performance
C.Fine-grained traffic control (e.g., canary deployments)
D.Improved observability through metrics and tracing
E.Simplified service-to-service security with mutual TLS
AnswersC, D, E

Service mesh enables advanced traffic routing.

Why this answer

Option C is correct because a service mesh, such as Istio or Linkerd, provides fine-grained traffic control through features like traffic splitting, header-based routing, and weighted load balancing. This enables canary deployments by directing a small percentage of traffic to a new version of a service, allowing safe testing in production without affecting all users.

Exam trap

CNCF often tests the misconception that a service mesh improves performance or handles autoscaling, when in fact it focuses on traffic management, security, and observability at the cost of some latency.

654
Multi-Selecthard

Which THREE of the following are valid reasons to use a StatefulSet instead of a Deployment? (Select 3)

Select 3 answers
A.The application needs to be scaled up and down quickly without regard to order.
B.The application requires stable unique network identifiers that persist across rescheduling.
C.The application is stateless and can be replicated arbitrarily.
D.Each Pod instance requires its own persistent storage that persists across rescheduling.
E.The application must handle graceful shutdown and ordered termination.
AnswersB, D, E

StatefulSet Pods have ordinal hostnames and stable network IDs.

Why this answer

StatefulSets are designed for stateful applications requiring stable network identities, persistent storage per Pod, and ordered deployment/termination.

655
MCQhard

A pod is running but its container exits with code 137. The pod logs show 'Killed'. What is the most likely cause?

A.The container's CPU limit was exceeded
B.The container's liveness probe failed
C.The container was OOMKilled due to memory limit
D.The node ran out of disk space
AnswerC

Exit code 137 is SIGKILL, often from OOM. The pod status would show OOMKilled.

Why this answer

Exit code 137 (128 + 9) indicates the container was terminated by SIGKILL. Combined with 'Killed' in logs, this is the definitive signature of an OOMKill event, where the Linux kernel's Out-Of-Memory (OOM) killer terminates the container process because it exceeded its memory limit (specified in the pod's resource limits). Kubernetes enforces memory limits via cgroups, and when the container's memory usage surpasses the limit, the OOM killer sends SIGKILL, resulting in exit code 137.

Exam trap

CNCF often tests the distinction between CPU throttling (which does not kill) and OOMKill (which does), and the trap here is that candidates confuse 'Killed' in logs with a generic failure, not recognizing exit code 137 as the specific OOMKill signal.

How to eliminate wrong answers

Option A is wrong because exceeding CPU limits causes CPU throttling (container runs slower) but never triggers a kill or exit code 137; the container continues running. Option B is wrong because a liveness probe failure results in Kubernetes restarting the container with exit code 143 (SIGTERM) or 0, not 137, and the logs would show 'Liveness probe failed' not 'Killed'. Option D is wrong because node disk pressure leads to pod eviction (not container OOM kill) with a different exit code and a Kubernetes event like 'Evicted', not exit code 137 and 'Killed' in container logs.

656
Multi-Selectmedium

Which TWO of the following are core principles of the 12-factor app methodology? (Select TWO.)

Select 2 answers
A.Manual approval for all production deployments
B.Use of a single programming language across all services
C.Store logs in a local file system
D.Strict separation of config from code
E.Maximize robustness through fast startup and graceful shutdown
AnswersD, E

Config should be stored in environment variables.

Why this answer

Option D is correct because the 12-factor app methodology mandates strict separation of config from code. Config includes things like database connection strings, API keys, and environment-specific values that vary between deployments. Storing these in environment variables (or external config files not checked into version control) ensures that the same codebase can be deployed to different environments without modification, which is a core principle for cloud-native portability and security.

Exam trap

CNCF often tests the misconception that logs should be stored locally for reliability, but the 12-factor methodology treats logs as event streams to stdout, relying on the execution environment (e.g., kubectl logs, log shippers) for aggregation and persistence.

657
MCQeasy

Refer to the exhibit. The deployment above is created, but the pods are not receiving traffic from the associated Service. The Service selector matches 'app: web'. The Service endpoints list is empty. What is the most likely cause?

A.The Service selector does not match the pod labels
B.The containerPort is set to 80, but the Service targetPort is 8080
C.The readiness probe endpoint /health does not exist in the nginx container
D.The nginx:1.21 image is not available in the container registry
AnswerC

The readiness probe is configured to GET /health on port 80, but the default nginx image does not serve a /health page. The probe fails, so the pod is not ready and is removed from Service endpoints.

Why this answer

The correct answer is C because a readiness probe that fails (e.g., the /health endpoint does not exist in the nginx container) will cause the pod to be marked as not ready. Kubernetes removes pods with failing readiness probes from the Service's endpoints list, resulting in an empty endpoints list even though the Service selector matches the pod labels. This is a common misconfiguration where the probe endpoint is not actually served by the container.

Exam trap

CNCF often tests the distinction between readiness probes and liveness probes, and the trap here is that candidates assume a missing endpoint only affects liveness (causing restarts) rather than readiness (causing removal from Service endpoints).

How to eliminate wrong answers

Option A is wrong because the question states that the Service selector matches 'app: web', and the pods are created with that label, so the selector does match. Option B is wrong because the containerPort and Service targetPort are independent; the Service routes traffic to the containerPort, not the targetPort, and a mismatch would not cause an empty endpoints list—it would cause connection failures to the pod. Option D is wrong because an unavailable container image would prevent the pod from running (e.g., ImagePullBackOff), but the question says the pods are created and not receiving traffic, implying they are running; an unavailable image would not lead to an empty endpoints list.

658
Multi-Selectmedium

Which TWO are components of a distributed trace? (Select two.)

Select 2 answers
A.Metrics
B.Traces
C.Spans
D.Logs
E.Alerts
AnswersB, C

Why this answer

A trace consists of spans, which are individual units of work.

659
MCQhard

A pod has both resource requests and limits defined. The container is using more CPU than the request but less than the limit. What will happen?

A.The container will be evicted from the node
B.The container will be throttled
C.The container will continue to run normally
D.The container will be terminated
AnswerC

CPU usage between request and limit is allowed; the container is guaranteed the request amount and can burst up to the limit.

Why this answer

CPU is a compressible resource; if usage is between request and limit, the container can burst and is not throttled or killed.

660
MCQhard

You deploy a new version of your application by updating the container image in the Deployment manifest. The rollout seems to be progressing, but after a few minutes you notice that the new Pods are failing and the old Pods are still running. What is the most likely reason?

A.The Deployment was created with 'kubectl create deployment' instead of 'kubectl apply'
B.The new Pods are failing readiness probes, so the Deployment pauses the rollout and keeps the old replicas
C.The new Pods are not receiving traffic because the Service selector doesn't match
D.The Deployment's update strategy is set to 'Recreate'
AnswerB

If readiness probes fail, the new Pods are not considered ready, and the Deployment controller will not continue the rollout, preserving the old replicas.

Why this answer

Option B is correct. By default, Deployments perform a rolling update with a strategy that may include maxSurge and maxUnavailable settings. If the new Pods fail readiness probes, the rollout will stop, and old Pods are kept running.

Option A would cause an error on apply. Option C is not a direct cause. Option D would cause the new Pods to be unavailable for traffic but not necessarily prevent them from starting.

661
MCQeasy

Which command would you use to view the logs of a container named 'nginx' in a Pod named 'web-pod'?

A.kubectl logs web-pod -c nginx
B.kubectl logs web-pod nginx
C.kubectl describe pod web-pod
D.kubectl exec web-pod -- cat /var/log/nginx/access.log
AnswerA

The -c flag specifies the container name when there are multiple containers.

Why this answer

Option A is correct. 'kubectl logs web-pod -c nginx' is the correct syntax to get logs from a specific container in a multi-container pod. Option B is for a single-container pod only. Option C describes events, and Option D exec runs a command.

662
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete and recreate the pod to clear the crash loop
B.Delete the namespace and redeploy all workloads
C.Increase the memory limit in the pod's container resource specification
D.Increase the CPU request for the container
AnswerC

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The pod is in CrashLoopBackOff due to OOMKilled, which means the container's memory usage exceeded its configured memory limit. The most appropriate action is to increase the memory limit in the pod's container resource specification, allowing the container to use more memory without being terminated by the Out-Of-Memory (OOM) killer. This directly addresses the root cause—insufficient memory allocation—while preserving the existing pod configuration and data.

Exam trap

The trap here is that candidates may confuse OOMKilled with a generic crash or resource issue and choose to delete/recreate the pod (Option A) or adjust CPU (Option D), rather than recognizing that the specific OOMKilled message points directly to a memory limit problem that must be addressed by increasing the memory limit.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the pod does not resolve the underlying memory limit issue; the new pod would still have the same resource constraints and would likely be OOMKilled again. Option B is wrong because deleting the entire namespace and redeploying all workloads is an extreme, disruptive action that unnecessarily affects other workloads and does not target the specific pod's memory problem. Option D is wrong because increasing the CPU request does not affect memory allocation; the OOMKilled error is caused by memory exhaustion, not CPU starvation, so this change would not prevent the container from being killed.

663
MCQeasy

A developer wants to ensure that a pod runs only on nodes with SSDs. Which mechanism should be used?

A.Apply a taint to nodes without SSDs and add tolerations to the pod
B.Use pod anti-affinity
C.Add a nodeSelector with disktype: ssd
D.Define a ResourceQuota
AnswerC

nodeSelector ensures pods are scheduled on nodes with the specified label.

Why this answer

Option C is correct because `nodeSelector` is a simple and direct mechanism in Kubernetes to constrain a pod to run only on nodes that have a specific label, such as `disktype=ssd`. By labeling nodes with SSDs and adding the corresponding `nodeSelector` in the pod spec, the scheduler ensures the pod is placed exclusively on those nodes. This approach is straightforward and does not require complex scheduling constraints or resource management.

Exam trap

The trap here is that candidates often confuse taints/tolerations with node selection, thinking they can be used to force pods onto specific hardware, when in fact taints repel pods and tolerations allow exceptions, whereas `nodeSelector` or `nodeAffinity` are the correct tools for positive selection.

How to eliminate wrong answers

Option A is wrong because taints and tolerations are used to repel pods from nodes (or allow them to tolerate repulsion), not to positively select nodes with specific hardware; they control which pods can run on a node but do not guarantee a pod will only run on nodes with SSDs. Option B is wrong because pod anti-affinity is used to prevent pods from co-locating on the same node or topology, not to select nodes based on hardware attributes like SSDs. Option D is wrong because a ResourceQuota limits resource consumption within a namespace and cannot influence node selection based on hardware characteristics.

664
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To develop proprietary cloud software
B.To define cloud-native standards only
C.To certify cloud providers
D.To host and support open-source cloud-native projects
AnswerD

CNCF provides governance, marketing, and support for cloud-native open-source projects.

Why this answer

The CNCF hosts, supports, and sustains open-source cloud-native projects, ensuring they are vendor-neutral and fostering community collaboration. It does not develop projects itself but provides a governance model.

665
MCQmedium

Which of the following is true about Prometheus's pull-based model for collecting metrics?

A.Targets push metrics to Prometheus
B.Prometheus only collects metrics from Kubernetes API server
C.Prometheus scrapes metrics from HTTP endpoints
D.Prometheus stores metrics in a relational database
AnswerC

Prometheus pulls (scrapes) metrics from targets' /metrics endpoints.

Why this answer

Prometheus pulls metrics from targets at regular intervals, which is the pull-based model.

666
MCQhard

A Prometheus alert rule fires when the error rate exceeds 5% for 5 minutes. The alert is sent to Alertmanager. What must be configured in Alertmanager to ensure the alert is deduplicated, grouped, and routed to the correct team?

A.An inhibition rule
B.A recording rule
C.A silence rule
D.A route configuration
AnswerD

Routes in Alertmanager define grouping, deduplication, and which receiver to use.

Why this answer

Alertmanager uses routes to match alerts and receivers to send notifications. Routes define grouping and routing logic.

667
MCQhard

You run 'kubectl get pods' and see a pod in 'Pending' state for over 5 minutes. You describe the pod and see '0/1 nodes are available: 1 Insufficient memory'. What is the most likely cause?

A.The container image is too large
B.The pod's memory request is larger than any node's allocatable memory
C.The pod has a liveness probe that is failing
D.The kubelet on the node is not running
AnswerB

If the memory request exceeds the available memory on all nodes, the scheduler cannot place the pod, leaving it in Pending.

Why this answer

The '0/1 nodes are available: 1 Insufficient memory' message indicates that the Kubernetes scheduler could not place the pod because no node has enough allocatable memory to satisfy the pod's memory request. Option B is correct because the pod's memory request exceeds the available memory on any node, causing the pod to remain in Pending state indefinitely until sufficient resources become available.

Exam trap

CNCF often tests the distinction between resource requests (used for scheduling) and resource limits (used for throttling/eviction), so candidates mistakenly think a large image or probe failure causes Pending state, but the scheduler only cares about resource requests and node availability.

How to eliminate wrong answers

Option A is wrong because a large container image affects image pull time and disk space, not the scheduler's memory allocation decision; the scheduler only considers resource requests and limits, not image size. Option C is wrong because a failing liveness probe would cause the pod to be restarted or become CrashLoopBackOff, not remain in Pending state; liveness probes only run after the pod is scheduled and running. Option D is wrong because if the kubelet were not running, the node would show as NotReady or be absent from 'kubectl get nodes', and the scheduler would report a different error like '0/1 nodes are available: 1 node(s) had taint that the pod didn't tolerate' or 'node(s) were unschedulable'.

668
Multi-Selectmedium

Which THREE of the following are core components of a Kubernetes worker node?

Select 3 answers
A.etcd
B.kube-apiserver
C.container runtime
D.kube-proxy
E.kubelet
AnswersC, D, E

Container runtime runs containers.

Why this answer

Option C is correct because a container runtime is a core component of a Kubernetes worker node. It is responsible for actually running the containers (e.g., containerd, CRI-O) and is required by the kubelet to manage pod lifecycle. Without a container runtime, the kubelet cannot start or stop containers on the node.

Exam trap

The trap here is that candidates often confuse control plane components (etcd, kube-apiserver) with worker node components, especially when they see them listed together in a question about cluster architecture.

669
MCQeasy

Which Kubernetes component is the primary entry point for all administrative tasks and API requests?

A.kube-controller-manager
B.etcd
C.kube-apiserver
D.kube-scheduler
AnswerC

It is the front-end for the Kubernetes control plane.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane and the sole entry point for all administrative tasks and API requests. It validates and processes RESTful API calls (using JSON/YAML over HTTP/HTTPS) before persisting state to etcd or delegating work to other controllers. Without the API server, no kubectl command, automation script, or internal component can interact with the cluster.

Exam trap

CNCF often tests the misconception that etcd is the primary entry point because it stores all cluster data, but the trap is that etcd is never accessed directly by users or external tools — all interactions must go through the kube-apiserver, which acts as the single gateway for security and consistency.

How to eliminate wrong answers

Option A is wrong because the kube-controller-manager is a control loop that watches the shared state via the API server and makes changes to move the current state toward the desired state; it does not accept external API requests directly. Option B is wrong because etcd is a distributed key-value store used for cluster state persistence, not an API endpoint; all reads and writes to etcd go through the kube-apiserver. Option D is wrong because the kube-scheduler is responsible for assigning pods to nodes based on resource availability and constraints, and it receives its instructions from the API server, not from external administrative requests.

670
MCQeasy

Which Kubernetes component is responsible for storing the cluster state?

A.kube-scheduler
B.kube-apiserver
C.etcd
D.kube-controller-manager
AnswerC

etcd stores all cluster state, including configurations and desired state.

Why this answer

etcd is a distributed, consistent key-value store used by Kubernetes to store all cluster data, including configuration, state, and metadata. It is the single source of truth for the cluster; without etcd, the cluster cannot maintain or recover its state. The kube-apiserver is the only component that communicates directly with etcd, but it is etcd itself that physically stores the data.

Exam trap

CNCF often tests the misconception that kube-apiserver stores the cluster state because it is the central API gateway, but the trap is that kube-apiserver only mediates access while etcd is the actual persistent storage layer.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is responsible for assigning pods to nodes based on resource availability and constraints, not for storing cluster state. Option B is wrong because kube-apiserver is the front-end for the Kubernetes control plane that validates and processes API requests, but it does not store data; it reads from and writes to etcd. Option D is wrong because kube-controller-manager runs controller processes (e.g., Node Controller, Replication Controller) that regulate cluster state, but it does not persist state itself.

671
Multi-Selectmedium

Which TWO of the following are valid ways to expose a set of pods to traffic from outside the Kubernetes cluster?

Select 2 answers
A.Service of type NodePort
B.Ingress
C.Service of type ExternalName
D.Service of type ClusterIP
E.Service of type LoadBalancer
AnswersA, E

Why this answer

A Service of type NodePort exposes the service on a static port on each node's IP address. Traffic sent to that port on any cluster node is forwarded to the underlying service, making it accessible from outside the cluster without requiring a cloud load balancer.

Exam trap

CNCF often tests the distinction between Ingress (a routing layer) and Service types (the actual exposure mechanism), leading candidates to mistakenly select Ingress as a direct exposure method.

672
MCQmedium

You have a microservices application deployed as a set of Pods in a Kubernetes cluster. You need to ensure that Pods can discover each other using stable DNS names. Which Kubernetes resource should you create?

A.ConfigMap
B.Ingress
C.Service
D.Deployment
AnswerC

A Service exposes a stable DNS name (e.g., my-service.namespace.svc.cluster.local) for Pods.

Why this answer

A Service of type ClusterIP (the default) provides a stable virtual IP and DNS name (e.g., my-service.namespace.svc.cluster.local) that resolves to the Pods selected by its label selector. This allows Pods to discover each other using consistent DNS names, regardless of Pod IP changes due to scaling or restarts. The kube-dns or CoreDNS addon automatically creates DNS records for Services, enabling service discovery within the cluster.

Exam trap

CNCF often tests the misconception that a Deployment itself provides stable DNS names, but Deployments only manage Pod replicas; the Service resource is required to expose a stable network endpoint and DNS record.

How to eliminate wrong answers

Option A is wrong because a ConfigMap is used to store configuration data as key-value pairs, not to provide network endpoints or DNS names for Pod discovery. Option B is wrong because an Ingress manages external HTTP/HTTPS traffic routing to Services, not internal Pod-to-Pod DNS-based discovery. Option D is wrong because a Deployment manages the desired state and lifecycle of Pods (replicas, updates), but does not create a stable network identity or DNS name for Pods to discover each other.

673
MCQeasy

Which kubectl command is used to view detailed information about a Kubernetes resource?

A.kubectl describe
B.kubectl get
C.kubectl exec
D.kubectl logs
AnswerA

describe provides detailed information.

Why this answer

The 'describe' command provides detailed information about a resource, including events, configuration, and status.

674
MCQmedium

Which component in an event-driven architecture is responsible for decoupling event producers from consumers?

A.Config server
B.Event broker
C.API gateway
D.Service mesh
AnswerB

Event broker (e.g., Kafka, RabbitMQ) decouples producers and consumers by managing event streams.

Why this answer

An event broker (or message broker) acts as an intermediary that receives events from producers and delivers them to consumers, allowing loose coupling. The API gateway handles synchronous requests. The service mesh handles service-to-service communication.

The config server manages configuration.

675
MCQmedium

In a microservices architecture, which pattern is used to prevent cascading failures by limiting the number of concurrent requests to a service?

A.Bulkhead
B.Timeout
C.Retry
D.Circuit breaker
AnswerA

Bulkhead limits concurrent requests to protect resources.

Why this answer

The bulkhead pattern isolates resources to prevent failure propagation. Circuit breaker stops calls after failures, retry reattempts, and timeout limits wait time.

Page 8

Page 9 of 14

Page 10