CCNA Kubernetes Fundamentals Questions

75 of 436 questions · Page 3/6 · Kubernetes Fundamentals · Answers revealed

151
Multi-Selectmedium

Which two of the following are valid ways to expose a Deployment externally to the internet? (Select TWO)

Select 2 answers
A.Create a Service of type ClusterIP
B.Create an Ingress resource
C.Create a Service of type LoadBalancer
D.Create a Headless Service
E.Create a Service of type NodePort
AnswersC, E

LoadBalancer provisions an external load balancer and assigns a public IP.

Why this answer

Option C is correct because a Service of type LoadBalancer provisions an external load balancer (e.g., in cloud environments like AWS, GCP, or Azure) that assigns a public IP or DNS name, making the Deployment directly accessible from the internet. This is a standard method for exposing services externally in Kubernetes.

Exam trap

The trap here is that candidates often confuse Ingress as a standalone external exposure method, forgetting that Ingress requires a backing Service (typically NodePort or LoadBalancer) to actually route traffic from the internet.

152
MCQhard

A pod has resource requests: cpu: 250m, memory: 512Mi and limits: cpu: 500m, memory: 1Gi. If the container tries to use 600m CPU and 700Mi memory, what will happen?

A.The container will be allowed to use the extra resources because limits are only soft constraints
B.The container will be throttled for CPU and may be terminated if it continues to exceed the limit
C.The container will be throttled for CPU, but will not be killed because memory is within limits
D.The container will be killed immediately because it exceeded its CPU limit
AnswerC

CPU above limit -> throttled; memory below limit -> no OOM kill.

Why this answer

If a container exceeds its CPU limit, it gets throttled (not killed). If it exceeds its memory limit, it is killed (OOMKilled). Here, CPU usage 600m exceeds limit 500m -> throttled; memory usage 700Mi is below limit 1Gi -> no OOM.

153
MCQhard

A pod is stuck in 'Pending' state. 'kubectl describe pod' shows '0/4 nodes are available: 4 Insufficient memory'. What is the most likely cause?

A.All nodes have taints that the pod cannot tolerate
B.The pod's liveness probe is failing
C.The container image is not found
D.The pod requires more memory than any node can allocate
AnswerD

The error indicates no node has enough available memory.

Why this answer

The scheduler cannot find a node with enough memory to satisfy the pod's resource requests.

154
MCQhard

A DevOps engineer wants to ensure that a critical application pod is rescheduled on a different node if its current node fails. The pod should be scheduled with a preference for nodes in a specific availability zone but can run elsewhere if needed. Which scheduling mechanism should be used?

A.Use a StatefulSet with podAntiAffinity.
B.Use a Deployment with a preferred nodeAffinity rule.
C.Run a static pod defined in the kubelet configuration.
D.Create a DaemonSet with a nodeSelector for the zone.
AnswerB

Correct; Deployment ensures rescheduling via ReplicaSet, nodeAffinity provides preference.

Why this answer

A Deployment with a preferred nodeAffinity rule is correct because it allows the pod to be rescheduled on a different node if the current node fails, while expressing a preference for nodes in a specific availability zone. The 'preferred' (soft) rule ensures scheduling flexibility—the pod can run elsewhere if no zone-matching nodes are available—which aligns with the requirement for high availability without strict zone constraints.

Exam trap

The trap here is that candidates confuse 'preferred' (soft) nodeAffinity with 'required' (hard) nodeAffinity, or mistakenly think DaemonSets or StatefulSets are needed for node failure recovery, when a simple Deployment with a soft scheduling preference is the correct mechanism for zone-aware rescheduling.

How to eliminate wrong answers

Option A is wrong because a StatefulSet with podAntiAffinity controls pod placement relative to other pods (e.g., spreading replicas across nodes), not rescheduling behavior after node failure, and does not express zone preference. Option C is wrong because a static pod is managed directly by the kubelet on a specific node and cannot be rescheduled to a different node if that node fails—it is tied to the node's lifecycle. Option D is wrong because a DaemonSet runs exactly one pod per node by default, which is not suitable for a single critical application pod, and nodeSelector enforces a hard constraint (not a preference) that would prevent scheduling if no zone-matching nodes exist.

155
MCQmedium

Which resource provides stable network endpoints to a set of pods, regardless of pod IP changes?

A.ConfigMap
B.Service
C.Deployment
D.Ingress
AnswerB

A Service abstracts pod IPs and provides a stable endpoint.

Why this answer

A Service provides a stable virtual IP and DNS name that routes traffic to pods matching its selector.

156
MCQhard

A pod is running but you need to view the contents of a file '/var/log/app.log' inside the container to debug an issue. Which kubectl command allows you to do this without modifying the pod?

A.kubectl logs pod-name -c container-name --tail=100
B.kubectl cp pod-name:/var/log/app.log -
C.kubectl exec pod-name -- cat /var/log/app.log
D.kubectl attach pod-name
AnswerC

Executes 'cat' inside the container to display the file.

Why this answer

Option C is correct because `kubectl exec pod-name -- cat /var/log/app.log` runs the `cat` command inside the container without modifying the pod or its state. This allows you to view the file contents directly from the container's filesystem, which is essential for debugging when the application logs are not written to stdout/stderr and thus not accessible via `kubectl logs`.

Exam trap

The trap here is that candidates often confuse `kubectl logs` with reading arbitrary files, assuming it can retrieve any log file, when in fact it only captures container stdout/stderr streams, while `kubectl exec` is the correct tool for accessing files inside a container.

How to eliminate wrong answers

Option A is wrong because `kubectl logs` only retrieves logs written to the container's stdout/stderr streams, not arbitrary files like `/var/log/app.log`. Option B is wrong because `kubectl cp` is used to copy files between a pod and the local machine, but the syntax shown (`kubectl cp pod-name:/var/log/app.log -`) is incomplete and would fail; the correct usage requires a local destination path, and even then it modifies the pod's filesystem only if copying into the pod, but here it attempts to copy out, which does not modify the pod but the command as given is invalid. Option D is wrong because `kubectl attach` attaches to the container's main process (usually PID 1) and streams its stdout/stderr, which does not allow you to read an arbitrary file and typically interferes with the running process.

157
MCQmedium

A Deployment named 'web' has 3 replicas. You run 'kubectl scale deployment web --replicas=5'. What will happen?

A.Two additional Pods are created to reach a total of 5 replicas.
B.An error occurs because scaling a Deployment is not allowed.
C.The Deployment is updated and all Pods are restarted.
D.The existing Pods are deleted and 5 new Pods are created.
AnswerA

Scaling increases the replica count from 3 to 5, creating 2 new Pods.

Why this answer

The scale command changes the desired number of replicas for the Deployment. The Deployment controller will then create 2 additional Pods to reach 5 replicas.

158
Multi-Selecthard

Which three components are part of the Kubernetes control plane? (Select THREE)

Select 3 answers
A.etcd
B.kube-apiserver
C.kube-proxy
D.kube-controller-manager
E.kubelet
AnswersA, B, D

etcd stores cluster state.

Why this answer

etcd is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data. It stores the entire cluster state, including configuration, secrets, and metadata, and is a core component of the control plane because the API server reads from and writes to it to maintain cluster integrity.

Exam trap

CNCF often tests the distinction between control plane and worker node components, and the trap here is that candidates confuse kube-proxy or kubelet as control plane components because they are essential to cluster operation, but they actually run on every node and are not part of the control plane.

159
MCQeasy

Which Kubernetes control plane component is responsible for maintaining the desired state of the cluster, such as ensuring the correct number of pods are running?

A.kube-controller-manager
B.kube-apiserver
C.kube-scheduler
D.etcd
AnswerA

The controller manager runs controllers (e.g., replication controller) to ensure the current state matches the desired state.

Why this answer

The kube-controller-manager is the control plane component that runs controller processes, including the Replication Controller, which is responsible for ensuring that the desired number of pod replicas are running at all times. It continuously watches the state of the cluster via the kube-apiserver and makes adjustments to reconcile the current state with the desired state defined in the cluster's configuration.

Exam trap

CNCF often tests the distinction between the component that stores state (etcd) and the component that actively reconciles state (kube-controller-manager), leading candidates to mistakenly choose etcd because it holds the desired state data.

How to eliminate wrong answers

Option B is wrong because the kube-apiserver is the front-end for the Kubernetes control plane that exposes the Kubernetes API, handling authentication, authorization, and API requests, but it does not directly manage the desired state of pods or other resources. Option C is wrong because the kube-scheduler is responsible for assigning newly created pods to nodes based on resource availability and constraints, not for maintaining the desired number of running pods. Option D is wrong because etcd is a distributed key-value store that holds the cluster's configuration and state data, but it is a data store, not a controller that actively reconciles desired state.

160
MCQhard

An application requires a unique identifier per replica, stored in an environment variable. Which Kubernetes resource should be used to inject this identifier into each pod without manual updates?

A.Deployment with pod anti-affinity to schedule each pod on a different node.
B.StatefulSet with an environment variable derived from the pod name.
C.DaemonSet with a node name environment variable.
D.Job with a completion index environment variable.
AnswerB

StatefulSet pods have stable, unique names (e.g., myapp-0).

Why this answer

A StatefulSet provides stable, unique network identities and persistent storage per replica. The pod name (e.g., pod-0, pod-1) can be exposed via the Downward API or hostname. Option A is correct.

Option B is wrong because Deployments create identical pods without ordering. Option C is wrong because DaemonSets run one pod per node. Option D is wrong because Jobs are for batch processing.

161
MCQeasy

What is the primary purpose of the Kubernetes control plane component 'kube-apiserver'?

A.Run container runtime operations on nodes
B.Schedule pods onto nodes
C.Store cluster state and configuration
D.Expose the Kubernetes REST API and act as the entry point for all administrative tasks
AnswerD

The API server is the entry point for all REST commands used to control the cluster.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane. It exposes the Kubernetes API, which is used to interact with the cluster. All other components communicate through it.

162
Multi-Selectmedium

Which TWO components are part of the Kubernetes control plane?

Select 2 answers
A.kube-proxy
B.kubelet
C.etcd
D.kube-apiserver
E.container runtime
AnswersC, D

etcd is the control plane's key-value store.

Why this answer

The control plane consists of kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy are worker node components.

163
Multi-Selecthard

Which THREE of the following are valid apiVersions for Kubernetes resources?

Select 3 answers
A.batch/v1
B.v1
C.apps/v1
D.extensions/v1beta1
E.v1beta1
AnswersA, B, C

Correct apiVersion for Jobs and CronJobs.

Why this answer

apps/v1 is for Deployments, StatefulSets, etc. batch/v1 is for Jobs and CronJobs. networking.k8s.io/v1 is for NetworkPolicy and Ingress. v1 is the core API version for Pods, Services, etc.

164
MCQmedium

You need to run a batch job that processes data and then exits. Which Kubernetes resource type is most appropriate for this workload?

A.Deployment
B.DaemonSet
C.Job
D.StatefulSet
AnswerC

Jobs are designed for finite tasks that run to completion.

Why this answer

Option D is correct. A Job is designed for running tasks that complete successfully and then terminate. A Deployment is for long-running services, a DaemonSet runs a pod on each node, and a StatefulSet is for stateful applications requiring stable identities.

165
MCQmedium

You run 'kubectl get pods' and see a Pod in the 'Pending' state. Which of the following is a likely cause?

A.No node meets the requested CPU or memory resources
B.The application crashed due to a bug
C.The container image is missing
D.The Pod has been deleted
AnswerA

Insufficient resources on any node can cause Pending state.

Why this answer

Pending often indicates that the scheduler cannot find a node that meets the Pod's resource requests or other constraints.

166
Multi-Selectmedium

Which TWO of the following are benefits of using a Deployment over managing ReplicaSets directly? (Choose two.)

Select 2 answers
A.Support for stateful workloads
B.Declarative scaling
C.Direct access to pod IP addresses
D.Automatic rolling updates and rollbacks
E.Ability to run a pod on every node
AnswersB, D

Deployments allow you to declaratively set replica count.

Why this answer

Deployments provide rolling updates and rollback capabilities, and declarative updates. ReplicaSets do not support rolling updates natively.

167
MCQeasy

Which component of the Kubernetes control plane is responsible for storing the cluster state?

A.kube-scheduler
B.kube-controller-manager
C.etcd
D.kube-apiserver
AnswerC

etcd is the key-value store that stores all cluster data.

Why this answer

etcd is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data.

168
MCQeasy

What is the primary purpose of a liveness probe in a container?

A.To check resource usage like CPU and memory
B.To check if the container is still alive; restart if not
C.To check if the container is ready to serve traffic
D.To check if the pod is scheduled on the correct node
AnswerB

Correct. Liveness probes restart containers that become unresponsive.

Why this answer

Liveness probes determine if a container is running; if they fail, kubelet restarts the container.

169
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Deployment
B.Container
C.Node
D.Pod
AnswerD

Pods are the smallest deployable units in Kubernetes.

Why this answer

A Pod is the smallest and simplest unit in the Kubernetes object model, representing a single instance of a running process.

170
MCQhard

A StatefulSet named 'web' with 3 replicas is deployed in the 'production' namespace. The first two pods are running, but the third pod 'web-2' is pending with the error shown. What is the most likely cause?

A.The StatefulSet requires a headless Service that does not exist
B.The pod anti-affinity rule prevents more than one pod per node, and there are only 3 nodes
C.The pod has a resource request that cannot be satisfied by any node
D.There are not enough nodes in the cluster to schedule the third pod
AnswerB

The scheduler cannot place web-2 because all nodes already have a pod from the same set.

Why this answer

The error indicates that the third pod 'web-2' is pending due to a scheduling conflict. Pod anti-affinity rules, when configured with a 'requiredDuringSchedulingIgnoredDuringExecution' policy, prevent more than one pod from the same StatefulSet from being scheduled on the same node. With only 3 nodes available and the first two pods already occupying distinct nodes, the third pod cannot be placed, causing it to remain pending.

Exam trap

Cisco often tests the distinction between resource constraints and scheduling constraints (like anti-affinity), leading candidates to mistakenly choose 'not enough nodes' when the real issue is a rule that prevents using all available nodes.

How to eliminate wrong answers

Option A is wrong because a headless Service is required for stable network identities in a StatefulSet, but its absence would cause DNS resolution failures, not a scheduling/pending error. Option C is wrong because resource requests that cannot be satisfied would produce an 'Insufficient cpu' or 'Insufficient memory' event, not a generic pending error tied to node count. Option D is wrong because the cluster has exactly 3 nodes, which matches the replica count; the issue is not the number of nodes but the anti-affinity rule preventing co-location on the same node.

171
MCQmedium

You need to run a batch job that processes a queue and then terminates. Which Kubernetes resource is most appropriate?

A.StatefulSet
B.Job
C.Deployment
D.DaemonSet
AnswerB

Jobs run Pods that perform a task and then terminate.

Why this answer

A Job is the correct resource because it is designed to run a specified number of pods to completion and then terminate, making it ideal for batch processing tasks like processing a queue. Unlike controllers that maintain a desired state indefinitely, a Job ensures the pod runs successfully to completion, even if the pod fails and needs to be restarted, and then stops.

Exam trap

CNCF often tests the distinction between controllers that maintain a desired state (Deployment, StatefulSet, DaemonSet) versus controllers that run to completion (Job), and the trap here is assuming that any workload that processes data must use a Deployment because it's the most common controller.

How to eliminate wrong answers

Option A is wrong because a StatefulSet is used for stateful applications that require stable, unique network identifiers and persistent storage, not for batch jobs that terminate. Option C is wrong because a Deployment is designed to maintain a desired number of replica pods running continuously, not to run a task to completion and then stop. Option D is wrong because a DaemonSet ensures that a copy of a pod runs on every node (or a subset of nodes) in the cluster, typically for cluster-level services like logging or monitoring, not for one-off batch processing.

172
MCQeasy

A DevOps engineer needs to expose a set of pods running an HTTP API to external clients. The pods are stateless and should be load-balanced. Which Kubernetes resource should they use?

A.StatefulSet with a headless Service
B.Ingress resource without a Service
C.Service of type ClusterIP
D.Service of type LoadBalancer
AnswerD

LoadBalancer exposes the service externally and provides load balancing.

Why this answer

A Service of type LoadBalancer is the correct choice because it provisions an external load balancer (e.g., an AWS ELB or Azure LB) that distributes incoming traffic across the pods, exposing the stateless HTTP API to external clients. This resource automatically assigns a public IP and handles load balancing without requiring manual proxy configuration, making it ideal for external access to stateless workloads.

Exam trap

The trap here is that candidates often confuse 'exposing to external clients' with internal-only services, leading them to pick ClusterIP (C) or assume Ingress (B) can work without a Service, while the question explicitly requires load balancing for stateless pods, making LoadBalancer the direct and correct answer.

How to eliminate wrong answers

Option A is wrong because a StatefulSet is designed for stateful applications (e.g., databases) that require stable network identities and persistent storage, not for stateless HTTP APIs, and a headless Service does not provide load balancing or external exposure. Option B is wrong because an Ingress resource cannot function without a backing Service; it requires a Service (typically of type NodePort or LoadBalancer) to route traffic to pods, and it does not itself expose pods directly. Option C is wrong because a Service of type ClusterIP is only reachable within the cluster's internal network (e.g., via cluster IP 10.0.0.1) and cannot be accessed by external clients without additional components like a proxy or Ingress.

173
MCQhard

A pod remains in 'Pending' state. Upon inspecting the pod with 'kubectl describe pod', you see the message '0/1 nodes are available: 1 node(s) had taint {node.kubernetes.io/disk-pressure: }, that the pod didn't tolerate'. What is the most likely cause?

A.The pod is not using a ServiceAccount
B.The node has a disk pressure condition and the pod lacks a toleration
C.The pod's resource requests exceed the node's capacity
D.The pod's container image does not exist
AnswerB

The taint 'node.kubernetes.io/disk-pressure' indicates disk pressure on the node. Pods without a toleration for this taint cannot be scheduled.

Why this answer

The taint indicates a node has disk pressure, and the pod does not have a toleration for it, so it cannot be scheduled on that node.

174
MCQmedium

A team observes that a Pod is stuck in CrashLoopBackOff. The Pod runs a single container with an entrypoint that exits with non-zero code after a few seconds. The team wants to inspect the container's logs to understand why it is crashing. Which command should they use?

A.kubectl get pods
B.kubectl logs <pod-name> --previous
C.kubectl describe pod <pod-name>
D.kubectl exec -it <pod-name> -- sh
AnswerB

Shows logs from the previous container instance, useful for crash logs.

Why this answer

The `kubectl logs <pod-name> --previous` command retrieves the logs from the previous instance of a crashed container. Since the Pod is in CrashLoopBackOff, the current container has already exited, and the `--previous` flag accesses the logs of the last terminated container, which contains the crash output (e.g., the non-zero exit code and error messages). This is the direct way to see why the entrypoint failed.

Exam trap

CNCF often tests the distinction between `kubectl logs` (which shows container output) and `kubectl describe pod` (which shows events and status), leading candidates to choose describe when they need actual log content.

How to eliminate wrong answers

Option A is wrong because `kubectl get pods` only lists the Pods and their statuses (e.g., CrashLoopBackOff), but does not provide any logs or crash details. Option C is wrong because `kubectl describe pod <pod-name>` shows the Pod's metadata, events, and container status (including restart count and last exit code), but it does not show the container's stdout/stderr logs, which are needed to understand the crash reason. Option D is wrong because `kubectl exec -it <pod-name> -- sh` attempts to open a shell in a running container, but the container is crashing and not running, so the exec command will fail with an error like 'cannot exec into a container in a crashed state'.

175
MCQhard

An application requires that configuration data be mounted as a file inside the container. The data may change at runtime, and the application should automatically read the updated values without restarting. Which approach should be used?

A.Store the configuration in a Secret and mount it using subPath
B.Use a ConfigMap mounted as a volume without subPath
C.Use a PersistentVolumeClaim to store the configuration
D.Store the configuration in an environment variable from a ConfigMap
AnswerB

When mounted as a volume without subPath, the files are updated via symlinks, and the application can read the new content if it watches for changes.

Why this answer

When a ConfigMap is mounted as a volume with `subPath`, updates are not reflected automatically. Using a projected volume or a Symlink-based update (e.g., mounting the ConfigMap directly without subPath) allows automatic updates. The simplest way is to mount the ConfigMap as a volume without subPath, so updates are eventually reflected.

176
MCQeasy

Which Kubernetes component is responsible for maintaining the desired state of the cluster by running controllers?

A.kube-apiserver
B.kube-scheduler
C.kube-controller-manager
D.etcd
AnswerC

Correct. It runs controller processes like node controller, replication controller, etc.

Why this answer

The kube-controller-manager is the component that runs controller processes, which are control loops that watch the shared state of the cluster through the kube-apiserver and make changes to drive the current state toward the desired state. It bundles together controllers such as the Node Controller, Replication Controller, and Endpoint Controller, each responsible for specific aspects of cluster state management.

Exam trap

CNCF often tests the misconception that the kube-apiserver is responsible for maintaining desired state because it is the central API gateway, but the actual enforcement is done by controllers within the kube-controller-manager.

How to eliminate wrong answers

Option A is wrong because kube-apiserver is the front-end for the Kubernetes control plane that exposes the Kubernetes API, handling authentication, authorization, and validation of API requests, but it does not run controllers to maintain desired state. Option B is wrong because kube-scheduler is responsible for assigning newly created pods to nodes based on resource requirements and constraints, not for running controllers that maintain cluster state. Option D is wrong because etcd is a distributed key-value store that serves as Kubernetes' backing store for all cluster data, but it does not execute controller logic or enforce desired state.

177
Multi-Selecteasy

Which TWO components are part of the Kubernetes worker node?

Select 2 answers
A.kube-apiserver
B.etcd
C.kube-scheduler
D.kube-proxy
E.kubelet
AnswersD, E

kube-proxy runs on each worker node to handle networking.

Why this answer

Worker nodes run kubelet, kube-proxy, and a container runtime. The API server and scheduler run on the control plane.

178
MCQeasy

What is the smallest deployable unit in Kubernetes that can be created and managed?

A.Deployment
B.Service
C.Container
D.Pod
AnswerD

A Pod encapsulates one or more containers, storage, and network.

Why this answer

A Pod is the smallest and simplest Kubernetes object, representing a single instance of a running process in the cluster.

179
MCQeasy

Which command creates a Deployment named 'nginx' from the 'nginx:1.19' image?

A.kubectl run nginx --image=nginx:1.19
B.kubectl create deployment nginx --image=nginx:1.19
C.kubectl start deployment nginx --image=nginx:1.19
D.kubectl apply -f nginx-deployment.yaml
AnswerB

This creates a Deployment named nginx with the specified image.

Why this answer

Option B is correct because the `kubectl create deployment` command is the standard Kubernetes imperative method to create a Deployment resource, and specifying `--image=nginx:1.19` directly sets the container image for the pod template. This command generates a Deployment object that manages a ReplicaSet with the specified image, ensuring declarative updates and rollback capabilities.

Exam trap

The trap here is that candidates confuse `kubectl run` (which creates a Pod, not a Deployment) with `kubectl create deployment`, especially since older versions of `kubectl run` could create Deployments, but the current behavior defaults to Pod creation unless the `--generator` flag is used.

How to eliminate wrong answers

Option A is wrong because `kubectl run` creates a standalone Pod (or in newer versions a Deployment with `--generator=deployment/v1beta1` deprecated), not a Deployment resource; it does not provide the same lifecycle management, scaling, or rolling update features as a Deployment. Option C is wrong because `kubectl start deployment` is not a valid kubectl command; the correct imperative verb is `create`, not `start`. Option D is wrong because while `kubectl apply -f nginx-deployment.yaml` can create a Deployment, it requires a pre-existing YAML manifest file, not a direct image specification, and the question asks for the command that creates a Deployment from the image directly.

180
MCQmedium

You want to isolate a team's workloads within a Kubernetes cluster so that they cannot see or access resources from other teams. Which feature should you use?

A.Annotations
B.Labels and selectors
C.Resource quotas
D.Namespaces
AnswerD

Namespaces create isolated scopes for resources.

Why this answer

Namespaces provide logical isolation and are commonly used to separate teams or environments. Combined with RBAC and NetworkPolicies, they enable multi-tenancy.

181
Multi-Selectmedium

Which two of the following are valid ways to set resource constraints on a container in a Pod spec?

Select 2 answers
A.Specify 'resources.guarantees.cpu' for CPU guarantees
B.Specify 'resources.limits.memory' for maximum memory
C.Specify 'resources.min.memory' for minimum memory
D.Specify 'resources.requests.cpu' for minimum CPU
E.Specify 'resources.max.cpu' for CPU limits
AnswersB, D

Limits cap resource usage.

Why this answer

Option B is correct because 'resources.limits.memory' is the valid Kubernetes field to set the maximum amount of memory a container can use. When a container exceeds this limit, it may be terminated or OOM-killed by the kubelet. This is a core concept in Kubernetes resource management for ensuring predictable application behavior.

Exam trap

The trap here is that candidates confuse the naming convention of Kubernetes resource fields (e.g., 'limits' vs 'max', 'requests' vs 'min' or 'guarantees'), leading them to choose plausible-sounding but non-existent keys like 'resources.max.cpu' or 'resources.guarantees.cpu'.

182
MCQmedium

Which Kubernetes object is used to store non-confidential configuration data that can be consumed by pods?

A.ServiceAccount
B.Secret
C.ConfigMap
D.PersistentVolume
AnswerC

ConfigMaps store non-sensitive configuration data.

Why this answer

ConfigMap is the correct Kubernetes object for storing non-confidential configuration data, such as environment variables, command-line arguments, or configuration files, that can be consumed by pods. Unlike Secrets, ConfigMaps store data in plain text and are designed for configuration that does not require encryption, making them ideal for application settings that are not sensitive.

Exam trap

CNCF often tests the distinction between ConfigMaps and Secrets, where candidates mistakenly choose Secrets for all configuration data, forgetting that Secrets are intended only for sensitive information and ConfigMaps are the correct choice for non-confidential data.

How to eliminate wrong answers

Option A is wrong because a ServiceAccount is an identity object used to control pod-level authentication to the Kubernetes API server, not for storing configuration data. Option B is wrong because a Secret is specifically designed for storing sensitive data (e.g., passwords, tokens, SSH keys) and is base64-encoded, not for non-confidential configuration. Option D is wrong because a PersistentVolume is a storage resource abstraction that provides persistent storage to pods, not a mechanism for injecting configuration data.

183
MCQeasy

Which Kubernetes resource provides a stable IP address and DNS name to access a set of pods?

A.Ingress
B.EndpointSlice
C.Service
D.NetworkPolicy
AnswerC

A Service provides a stable IP and DNS name to reach a group of pods.

Why this answer

Option C is correct because a Kubernetes Service provides a stable virtual IP address and a DNS name (e.g., my-svc.namespace.svc.cluster.local) that remains constant even as the underlying pods are created, destroyed, or scaled. This abstraction allows clients to reliably reach a set of pods without needing to track individual pod IPs, which are ephemeral. Services use label selectors to dynamically route traffic to matching pods, ensuring high availability and load balancing.

Exam trap

The trap here is that candidates often confuse Ingress (which provides external access) with the internal stable IP/DNS abstraction provided by a Service, or they mistakenly think EndpointSlice (a newer, more scalable replacement for Endpoints) is the resource that offers a stable network identity.

How to eliminate wrong answers

Option A is wrong because Ingress is not a stable IP/DNS resource for pods; it is an API object that manages external HTTP/HTTPS access to Services, typically providing host-based or path-based routing and TLS termination, but it does not itself assign a stable IP or DNS name to a set of pods. Option B is wrong because EndpointSlice is not a stable IP/DNS resource; it is a lower-level object that tracks the actual IP addresses and ports of pods matching a Service's selector, used for scalability and efficiency, but it does not provide a stable endpoint for clients. Option D is wrong because NetworkPolicy is a security resource that controls traffic flow at the IP address or port level (OSI layer 3 or 4) using pod selectors and namespace selectors; it does not provide any IP address or DNS name for accessing pods.

184
MCQeasy

What is the smallest deployable unit in Kubernetes that you can create and manage?

A.Service
B.Container
C.Pod
D.Deployment
AnswerC

A Pod is the smallest deployable unit.

Why this answer

A Pod is the smallest and simplest unit in the Kubernetes object model that you can create and deploy. It represents a single instance of a running process in your cluster and encapsulates one or more containers with shared storage and network resources. While containers are the actual runtime environments, Kubernetes does not manage containers directly; it manages Pods, which are the atomic unit of scheduling and lifecycle management.

Exam trap

The trap here is that candidates confuse the container (the runtime technology) with the Pod (the Kubernetes API object), leading them to select 'Container' because they think of Docker containers as the smallest unit, but Kubernetes abstracts containers into Pods as the atomic deployable unit.

How to eliminate wrong answers

Option A is wrong because a Service is an abstraction that defines a logical set of Pods and a policy to access them; it is not a deployable unit but rather a networking resource that sits on top of Pods. Option B is wrong because a Container is not a Kubernetes API object; Kubernetes manages containers only within the context of a Pod, and you cannot create or manage a standalone container via the Kubernetes API. Option D is wrong because a Deployment is a higher-level controller that manages ReplicaSets and Pods; it is not the smallest deployable unit but rather a declarative way to manage Pod scaling and updates.

185
MCQeasy

Which component runs on every worker node and is responsible for ensuring that containers are running in a pod as specified in the PodSpec?

A.container runtime
B.kube-proxy
C.kubelet
D.kube-scheduler
AnswerC

The kubelet is the primary node agent that ensures containers are running in a pod as expected.

Why this answer

The kubelet is the primary node agent that runs on every worker node in a Kubernetes cluster. It is responsible for ensuring that containers described in a PodSpec are running and healthy, by interacting with the container runtime (e.g., containerd, CRI-O) to create, start, and monitor pods. The kubelet does not manage containers that were not created by Kubernetes.

Exam trap

The trap here is that candidates confuse the kubelet with the container runtime, assuming the runtime itself reads PodSpecs, when in fact the kubelet is the orchestrator that translates PodSpecs into runtime actions via the CRI.

How to eliminate wrong answers

Option A is wrong because the container runtime (e.g., containerd, CRI-O) is the software that actually runs containers, but it does not interpret PodSpecs or enforce desired state — it only executes container lifecycle operations when instructed by the kubelet. Option B is wrong because kube-proxy is a network proxy that runs on each node, handling service-to-pod traffic routing via iptables or IPVS rules, and has no role in container lifecycle management. Option D is wrong because kube-scheduler is a control plane component that assigns pods to nodes based on resource availability and constraints, but it does not run on worker nodes and does not manage running containers.

186
MCQhard

A cluster administrator notices that a Deployment's pods are not receiving traffic as expected. The Service selector matches the pod labels. What is a possible cause?

A.The pods have a liveness probe that fails
B.The Deployment replicas are set to zero
C.The pods have a failing readiness probe
D.The Service type is NodePort
AnswerC

Readiness probe determines if a pod should receive traffic. Failing removes pod from Service endpoints.

Why this answer

Service can only forward traffic to pods that are ready (i.e., pass readiness probes). If readiness probe fails, pod is removed from Service endpoints.

187
MCQmedium

Which of the following is a correct apiVersion for a Deployment in a modern Kubernetes cluster (v1.19+)?

A.apiVersion: extensions/v1beta1
B.apiVersion: v1
C.apiVersion: apps/v1
D.apiVersion: apps/v1beta1
AnswerC

apps/v1 is the current stable version for Deployments.

Why this answer

Deployments are stable in the apps/v1 API group.

188
MCQhard

A developer created a Deployment with 5 replicas. After applying the manifest, only 3 pods are Running; the other 2 are Pending. Which is the MOST likely cause?

A.The readiness probe is failing
B.A NetworkPolicy is blocking traffic to the pods
C.The container image is misspelled
D.The nodes do not have enough available CPU or memory to schedule the additional pods
AnswerD

If nodes lack resources, the scheduler leaves pods in Pending state until resources become available.

Why this answer

Pending pods typically indicate that the scheduler cannot find a suitable node. The most common reason is insufficient resources (CPU or memory) on the nodes. Image pull errors or readiness probe failures would result in CrashLoopBackOff or not Ready, not Pending.

Network policies do not prevent pod scheduling.

189
Multi-Selecthard

Which THREE actions can be performed using kubectl without installing additional plugins?

Select 3 answers
A.Run 'kubectl debug' to create a debugging Pod.
B.Run 'kubectl edit deployment' to modify a Deployment in-place.
C.Run 'kubectl auth reconcile' to reconcile RBAC permissions.
D.Run 'kubectl cp' to copy files to and from containers.
E.Run 'kubectl logs' to view the logs of a container in a Pod.
AnswersB, D, E

kubectl edit opens the resource's manifest in an editor, allowing changes.

Why this answer

Option B is correct because 'kubectl edit deployment' is a built-in kubectl command that opens the Deployment's manifest in the default editor, allowing in-place modifications without any additional plugins. It directly interacts with the Kubernetes API to update the resource.

Exam trap

CNCF often tests the distinction between built-in kubectl commands and those requiring plugins, where candidates mistakenly assume that any useful debugging or auth command is native to kubectl.

190
MCQeasy

Which Kubernetes control plane component is responsible for maintaining the desired state of the cluster by running controller loops?

A.etcd
B.kube-apiserver
C.kube-controller-manager
D.kube-scheduler
AnswerC

The kube-controller-manager runs controller loops that reconcile the current state with the desired state.

Why this answer

The kube-controller-manager is the control plane component that runs controller loops, which are continuous processes that watch the shared state of the cluster through the kube-apiserver and make changes to drive the current state toward the desired state. Each controller (e.g., ReplicaSet, Node, Deployment) is a separate loop that handles a specific aspect of cluster management, ensuring that the actual cluster state matches the desired configuration defined in the API objects.

Exam trap

CNCF often tests the misconception that the kube-apiserver handles all cluster logic, but the trap here is that the kube-apiserver only exposes the API and validates requests, while the actual reconciliation loops that enforce desired state are run exclusively by the kube-controller-manager.

How to eliminate wrong answers

Option A is wrong because etcd is a distributed key-value store that holds all cluster data, but it does not run controller loops or enforce desired state; it is a passive storage backend. Option B is wrong because kube-apiserver is the front-end for the Kubernetes API that validates and processes RESTful requests, but it does not execute controller reconciliation logic; it serves as the communication gateway. Option D is wrong because kube-scheduler is responsible for assigning pods to nodes based on resource availability and constraints, not for maintaining the overall desired state of the cluster via controller loops.

191
MCQhard

You want to run a batch job that processes a queue and then terminates. Which Kubernetes resource should you use?

A.Job
B.Deployment
C.CronJob
D.DaemonSet
AnswerA

Jobs are designed for finite tasks that run to completion.

Why this answer

A Job creates one or more pods and ensures they run successfully to completion. For batch processing that terminates, a Job is appropriate.

192
MCQmedium

You notice that a pod is in 'Pending' state for a long time. Which of the following is the most likely cause?

A.The pod's liveness probe is failing.
B.No node has enough CPU or memory to meet the pod's requests.
C.The pod's readiness probe is not configured.
D.The container image does not exist.
AnswerB

Insufficient resources prevent scheduling, leaving the pod Pending.

Why this answer

A pod remains Pending if the scheduler cannot find a node that satisfies its resource requests or other constraints.

193
MCQeasy

What is the primary purpose of the kube-scheduler in a Kubernetes cluster?

A.Assigning pods to nodes
B.Running container runtime operations
C.Storing the cluster state
D.Exposing the Kubernetes API
AnswerA

The kube-scheduler selects a suitable node for each unscheduled pod.

Why this answer

The kube-scheduler is responsible for assigning pending pods to worker nodes based on resource availability and constraints.

194
MCQhard

An application requires that a set of Pods each be assigned a unique DNS name that can be used for peer-to-peer communication. Which Kubernetes resource should be used?

A.Job with a Service
B.DaemonSet with a Service
C.StatefulSet with a Headless Service
D.Deployment with a Service
AnswerC

StatefulSets assign stable, unique DNS names to pods, typically used with a Headless Service for peer discovery.

Why this answer

A StatefulSet with a Headless Service is correct because StatefulSets assign each Pod a stable, unique network identity (e.g., pod-name-0.service-name.namespace.svc.cluster.local) that persists across rescheduling. A Headless Service (clusterIP: None) disables load balancing and DNS round-robin, allowing direct DNS resolution to individual Pod IPs for peer-to-peer communication. This matches the requirement for unique DNS names for each Pod.

Exam trap

The trap here is that candidates often assume any Service provides unique DNS names, but only a Headless Service combined with a StatefulSet yields per-Pod DNS entries; a regular Service (ClusterIP or NodePort) always load-balances to a single virtual IP.

How to eliminate wrong answers

Option A is wrong because a Job is designed for batch processing tasks that run to completion, not for long-running Pods requiring stable DNS identities; a Service with a Job would still use a regular ClusterIP, which load-balances across Pods and does not provide unique per-Pod DNS names. Option B is wrong because a DaemonSet ensures one Pod per Node but does not guarantee stable, unique DNS names for each Pod; combined with a regular Service, DNS resolves to the Service IP, not individual Pods. Option D is wrong because a Deployment creates identical, interchangeable Pods with no stable identity; a regular Service provides a single DNS name that load-balances across all Pods, not unique per-Pod DNS names.

195
MCQeasy

Which Kubernetes object provides a stable IP address and DNS name for a set of Pods?

A.Ingress
B.ConfigMap
C.Service
D.Deployment
AnswerC

A Service abstracts a set of Pods and provides a stable IP and DNS name.

Why this answer

A Service provides a stable virtual IP address and a DNS name (e.g., my-svc.namespace.svc.cluster.local) that remains constant even as Pods are created or destroyed. This enables reliable network access to a dynamic set of Pods selected via labels, abstracting away Pod IP volatility.

Exam trap

CNCF often tests the misconception that a Deployment provides a stable network identity, when in fact it only manages Pod replicas and their lifecycle, while the Service object is solely responsible for stable IP/DNS abstraction.

How to eliminate wrong answers

Option A is wrong because an Ingress is not an IP/DNS provider for Pods; it is an API object that manages external HTTP/HTTPS routing to Services, typically using a load balancer or reverse proxy, and does not assign a stable IP to Pods directly. Option B is wrong because a ConfigMap is used to store non-confidential configuration data as key-value pairs or files, and it has no networking or IP assignment functionality. Option D is wrong because a Deployment manages the desired state and lifecycle of Pods (e.g., scaling, rolling updates) but does not provide a stable network endpoint; Pods created by a Deployment receive ephemeral IPs that change on restart.

196
Multi-Selecthard

Which two scenarios would benefit from using a StatefulSet instead of a Deployment? (Choose two.)

Select 2 answers
A.An application that requires persistent storage unique to each instance
B.A database cluster that requires stable network identities
C.A batch job that runs once and exits
D.A stateless web application that can scale horizontally
E.A microservice that can use any available node
AnswersA, B

StatefulSet can use PersistentVolumeClaims with unique volumes per pod.

Why this answer

StatefulSet provides stable network identities and persistent storage per pod, suitable for stateful applications like databases.

197
MCQeasy

What is the primary purpose of a Kubernetes Service?

A.To expose a set of pods as a network service with a stable endpoint
B.To provide persistent storage for pods
C.To store configuration data for pods
D.To manage rolling updates of applications
AnswerA

A Service provides a stable endpoint and load balancing for pods.

Why this answer

A Kubernetes Service provides a stable network endpoint (IP address and DNS name) to access a set of pods, which are ephemeral and can be rescheduled with different IPs. It acts as an abstraction layer, enabling load-balanced traffic to the pods via kube-proxy and iptables/IPVS rules. This is the core purpose of a Service, as defined in the Kubernetes API.

Exam trap

CNCF often tests the misconception that a Service manages pod lifecycle or updates, but the trap here is confusing the role of a Service (stable network abstraction) with that of a Deployment (reconciliation and rolling updates).

How to eliminate wrong answers

Option B is wrong because persistent storage for pods is provided by PersistentVolume (PV) and PersistentVolumeClaim (PVC) resources, not by a Service. Option C is wrong because configuration data for pods is stored in ConfigMaps or Secrets, not in a Service. Option D is wrong because managing rolling updates of applications is the responsibility of a Deployment (or StatefulSet), which uses a ReplicaSet to control the update strategy; a Service only exposes the pods, it does not manage their lifecycle or updates.

198
MCQmedium

You want to view the logs of a container named 'app' inside a pod named 'web-pod-7d4f8'. Which kubectl command should you use?

A.kubectl exec web-pod-7d4f8 -c app -- logs
B.kubectl log web-pod-7d4f8 --container app
C.kubectl logs web-pod-7d4f8 -c app
D.kubectl logs web-pod-7d4f8 app
AnswerC

This is the correct command to view logs of a specific container in a pod.

Why this answer

kubectl logs is used to fetch container logs. When a pod has multiple containers, the -c flag specifies the container. Options A and B have incorrect syntax; option D is for running commands in a container, not viewing logs.

199
MCQmedium

A Deployment manages ReplicaSets. What is the primary benefit of using a Deployment over directly managing ReplicaSets?

A.Deployments can expose services externally
B.Deployments support rolling updates and rollbacks
C.Deployments automatically configure DNS
D.Deployments provide persistent storage
AnswerB

Deployments enable controlled updates with revision history.

Why this answer

The primary benefit of using a Deployment over directly managing ReplicaSets is that Deployments provide declarative updates for Pods and ReplicaSets, including built-in support for rolling updates and rollbacks. This allows you to update the desired state (e.g., a new container image version) and have the Deployment controller automatically orchestrate the transition, while also enabling you to revert to a previous revision if the update fails. Directly managing ReplicaSets would require manual steps to scale down old ReplicaSets and scale up new ones, and it lacks the automated revision history and rollback capabilities that Deployments offer.

Exam trap

CNCF often tests the misconception that Deployments directly manage Pods, but the trap here is that candidates may confuse the Deployment's high-level features (like rolling updates) with other Kubernetes resources (Services, DNS, storage) that handle networking, naming, or data persistence, leading them to pick a wrong answer that describes a capability of a different resource.

How to eliminate wrong answers

Option A is wrong because Deployments do not expose services externally; that is the role of a Service (e.g., NodePort, LoadBalancer) or an Ingress resource. Option C is wrong because Deployments do not automatically configure DNS; DNS resolution for Pods and Services is handled by CoreDNS (or kube-dns) based on Service objects, not Deployments. Option D is wrong because Deployments do not provide persistent storage; persistent storage is managed through PersistentVolumeClaims (PVCs) and StorageClasses, which are referenced by Pods in a Deployment's template, but the Deployment itself does not provision or attach storage.

200
MCQmedium

Which command would you use to view the logs of a container named 'sidecar' inside a pod named 'app'?

A.kubectl logs app -c sidecar
B.kubectl logs app sidecar
C.kubectl logs sidecar app
D.kubectl logs sidecar -p app
AnswerA

This command retrieves logs from the specified container.

Why this answer

Use `kubectl logs` with the `-c` flag to specify the container name when a pod has multiple containers.

201
MCQmedium

What does the 'kubectl get pods' command display?

A.Detailed information about a specific pod
B.A list of all pods in the current namespace
C.The YAML definition of a pod
D.The logs of all pods
AnswerB

kubectl get pods lists pods with name, ready status, and other columns.

Why this answer

kubectl get pods lists all pods in the current namespace with basic status.

202
MCQmedium

You have a Deployment named 'web-app' running three replicas. You need to scale it to five replicas. Which kubectl command accomplishes this?

A.kubectl set deployment web-app replicas=5
B.kubectl patch deployment web-app -p '{"replicas":5}'
C.kubectl scale deployment web-app --replicas=5
D.kubectl update deployment web-app --replicas=5
AnswerC

This correctly scales the deployment to 5 replicas.

Why this answer

The 'scale' command is used to change the number of replicas in a Deployment.

203
Multi-Selecthard

Which TWO of the following are true about Kubernetes Pods?

Select 2 answers
A.Containers in a pod always have isolated filesystems
B.A pod is the smallest deployable unit in Kubernetes
C.A pod can contain multiple containers that share the same network namespace
D.Pods are designed to be long-lived and never terminated
E.Each container in a pod gets its own IP address
AnswersB, C

Pods are the smallest and most basic deployable objects.

Why this answer

Option B is correct because a Pod is the smallest and most fundamental deployable unit in Kubernetes. It represents a single instance of a running process in the cluster and encapsulates one or more containers with shared storage and network resources. You cannot deploy a container directly; you must always wrap it in a Pod.

Exam trap

The trap here is that candidates often confuse Pods with virtual machines, assuming each container gets its own IP and filesystem isolation, when in fact Pods are designed for tight coupling and shared resources.

204
MCQmedium

You have a Kubernetes cluster with multiple namespaces. You need to allow communication only from pods with label 'app: frontend' to pods with label 'app: backend' in the same namespace. Which resource should you use?

A.RBAC Role
B.NetworkPolicy
C.PodSecurityPolicy
D.Service
AnswerB

NetworkPolicy defines rules for allowed ingress and egress traffic between pods based on pod labels, namespaces, or IP blocks.

Why this answer

A NetworkPolicy is used to control ingress and egress traffic to pods based on labels and other selectors. It can be used to restrict communication between pods.

205
MCQeasy

Which Kubernetes control plane component is responsible for maintaining the desired state of the cluster by running reconciliation loops?

A.kube-scheduler
B.etcd
C.kube-apiserver
D.kube-controller-manager
AnswerD

The controller manager runs controllers that implement reconciliation loops to ensure the actual state matches the desired state.

Why this answer

The kube-controller-manager is the control plane component that runs controller processes, each of which watches the current state of the cluster via the kube-apiserver and makes changes to drive the actual state toward the desired state defined in etcd. This reconciliation loop pattern is fundamental to Kubernetes' self-healing behavior, ensuring that resources like deployments, replica sets, and nodes match their specifications.

Exam trap

CNCF often tests the misconception that etcd is responsible for maintaining desired state because it stores the desired state, but the trap is that etcd is only a data store and does not execute reconciliation loops—that is the job of the kube-controller-manager.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is responsible for assigning newly created pods to nodes based on resource requirements and policies, not for maintaining desired state via reconciliation loops. Option B is wrong because etcd is a distributed key-value store that holds the cluster's configuration and state data, but it does not run reconciliation logic or enforce desired state. Option C is wrong because kube-apiserver serves as the front-end for the Kubernetes control plane, exposing the REST API and validating requests, but it does not perform continuous reconciliation; it is the gateway through which controllers interact.

206
Drag & Dropmedium

Drag and drop the steps to set up a Kubernetes cluster using kubeadm into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First install runtime and Kubernetes tools, then init control plane, add network plugin, and join workers.

207
Multi-Selectmedium

Which TWO of the following are control plane components? (Select TWO)

Select 2 answers
A.etcd
B.kube-apiserver
C.kube-proxy
D.kubelet
E.Container runtime
AnswersA, B

Yes, etcd is a control plane component.

Why this answer

kube-apiserver and etcd are control plane components. kubelet and kube-proxy are worker node components.

208
MCQmedium

A pod has a liveness probe that returns failure. What action will Kubernetes take?

A.The container will be restarted
B.The service endpoint will be removed
C.The pod will be deleted
D.The pod will be rescheduled to another node
AnswerA

The liveness probe restart the container to recover from a deadlock.

Why this answer

A failing liveness probe causes the kubelet to restart the container according to the pod's restart policy.

209
MCQeasy

Which of the following is NOT a responsibility of the kubelet on a worker node?

A.Ensure containers are running as defined in the PodSpec
B.Report node and pod status to the API server
C.Assign Pods to nodes based on resource requirements
D.Execute liveness and readiness probes
AnswerC

Pod assignment is the job of the kube-scheduler.

Why this answer

The kubelet does not perform scheduling; scheduling is done by the kube-scheduler.

210
MCQhard

You want to create a new Namespace called 'staging' and apply a ResourceQuota to it. Which of the following YAML snippets correctly defines a ResourceQuota that limits total memory to 10Gi and total CPU to 5 cores in namespace 'staging'?

A.apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: staging-quota\n namespace: staging\nspec:\n hard:\n requests.cpu: "5"\n requests.memory: 10Gi
B.apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: staging-quota\n namespace: staging\nspec:\n hard:\n limits.cpu: "5"\n limits.memory: 10Gi
C.apiVersion: v1\nkind: LimitRange\nmetadata:\n name: staging-limits\n namespace: staging\nspec:\n limits:\n - default:\n cpu: 5\n memory: 10Gi\n defaultRequest:\n cpu: 1\n memory: 1Gi
D.apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: staging-quota\nspec:\n hard:\n cpu: 5\n memory: 10Gi
AnswerB

Correct syntax for ResourceQuota.

Why this answer

ResourceQuota uses 'spec.hard' with resource names like 'limits.cpu' and 'limits.memory'.

211
MCQeasy

What is the purpose of a Namespace in Kubernetes?

A.To assign IP addresses to services
B.To limit the number of pods that can be created
C.To logically isolate resources like pods and services
D.To provide DNS names for pods
AnswerC

Namespaces provide logical isolation.

Why this answer

Namespaces provide a mechanism to logically isolate groups of resources within a single cluster. They are useful for separating environments (e.g., dev, prod) or teams.

212
Multi-Selecthard

Which THREE statements about Labels and Selectors are correct?

Select 3 answers
A.Services use selectors to determine which Pods receive traffic
B.Selectors are used by Deployments to identify the Pods they manage
C.Labels can be used to organize and select subsets of objects
D.Labels must be unique within a namespace
E.Annotations are used for identification and selection
AnswersA, B, C

Services use label selectors to route traffic to matching Pods.

Why this answer

Option A is correct because a Kubernetes Service uses a label selector to identify which Pods should receive traffic. When a Service is created with a selector matching certain labels, the endpoint controller dynamically updates the Service's Endpoints object to include the IP addresses of all Pods with those labels, enabling traffic routing.

Exam trap

CNCF often tests the distinction between labels and annotations, trapping candidates who assume annotations can also be used for selection, when in fact only labels support selector-based filtering.

213
Multi-Selectmedium

Which three of the following are valid ways to interact with the Kubernetes API? (Select THREE.)

Select 3 answers
A.Using a Kubernetes client library (e.g., client-go)
B.Using the 'kubeadm' command
C.Using the Docker CLI
D.Using kubectl command-line tool
E.Direct HTTP requests to the API server using tools like curl
AnswersA, D, E

Client libraries wrap API calls.

Why this answer

kubectl, curl, and client libraries are common API interaction methods.

214
MCQeasy

Which command is used to view detailed information about a specific pod?

A.kubectl exec pod -- /bin/sh
B.kubectl logs pod
C.kubectl describe pod
D.kubectl get pod
AnswerC

This command provides detailed information about a pod.

Why this answer

kubectl describe pod provides detailed information including events, status, and configuration.

215
Multi-Selecthard

Which THREE of the following are true about Kubernetes Namespaces?

Select 3 answers
A.PersistentVolumes are namespaced
B.NetworkPolicy can be used to control traffic between pods in different namespaces
C.Nodes are namespaced resources
D.You can apply ResourceQuota to limit resource consumption in a namespace
E.Namespaces are used to isolate resources like Pods and Services
AnswersB, D, E

NetworkPolicy can allow or deny traffic between namespaces when properly configured.

Why this answer

Namespaces provide scope for names and are a way to divide cluster resources between multiple users. They support resource quotas. However, nodes and persistent volumes are cluster-scoped and not namespaced.

Network policies can be applied within a namespace.

216
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Increase the CPU request for the container
C.Delete and recreate the pod to clear the crash loop
D.Delete the namespace and redeploy all workloads
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

217
MCQeasy

What is the primary purpose of a Kubernetes Service?

A.To provide a stable network endpoint for a set of Pods
B.To manage rolling updates of Pods
C.To schedule Pods onto Nodes
D.To store configuration data for Pods
AnswerA

A Service enables other components to access Pods reliably, even as Pods change.

Why this answer

A Service provides a stable endpoint for a set of Pods, enabling discovery and load balancing across them.

218
MCQmedium

You want to expose a set of pods running on node port 30080 to external traffic. Which Service type should you use?

A.ExternalName
B.LoadBalancer
C.NodePort
D.ClusterIP
AnswerC

NodePort opens a static port on each node's IP.

Why this answer

Option C (NodePort) is correct because a NodePort service exposes the application on a static port (30080) on each node's IP address, making it accessible from outside the cluster via <NodeIP>:30080. This is the appropriate choice when you need to expose pods to external traffic using a specific port number without requiring a cloud load balancer.

Exam trap

The trap here is that candidates confuse NodePort with LoadBalancer, thinking a cloud load balancer is required for external access, but NodePort directly exposes a static port on the node's IP without any cloud dependency.

How to eliminate wrong answers

Option A (ExternalName) is wrong because it maps a service to a DNS name (e.g., an external CNAME record) and does not expose pods or provide any network connectivity to external traffic; it is used for internal DNS aliasing. Option B (LoadBalancer) is wrong because it provisions an external cloud load balancer (e.g., AWS ELB, GCP LB) which assigns a dynamic external IP and port, not a fixed node port like 30080; it is overkill and does not guarantee the specific port. Option D (ClusterIP) is wrong because it exposes the service only on a cluster-internal IP, reachable only from within the cluster, and cannot be accessed from external traffic without additional components like an ingress or proxy.

219
MCQeasy

A container in a pod has been restarted multiple times with 'CrashLoopBackOff' state. What does this indicate?

A.The container is using too much memory
B.The container exits with a non-zero exit code soon after starting
C.The container is running but not responding to health checks
D.The container image cannot be pulled
AnswerB

CrashLoopBackOff occurs when the container fails to stay running.

Why this answer

CrashLoopBackOff means the container is repeatedly crashing after starting, and Kubernetes is backing off from restarting it.

220
Multi-Selectmedium

Which THREE of the following are responsibilities of the kube-controller-manager?

Select 3 answers
A.Assigning Pods to Nodes
B.Creating Endpoints objects for Services
C.Monitoring Node health and reacting to Node failures
D.Ensuring the correct number of Pod replicas are running
E.Serving the Kubernetes API
AnswersB, C, D

The Endpoints Controller populates Endpoints objects based on Service selectors.

Why this answer

Option B is correct because the kube-controller-manager includes the EndpointSlice controller (or the legacy Endpoints controller), which is responsible for creating and updating Endpoints (and EndpointSlice) objects to reflect the IP addresses and ports of Pods that match a Service's label selector. This ensures that the Service's DNS or iptables rules point to healthy Pods.

Exam trap

The trap here is that candidates confuse the kube-controller-manager's role in 'managing controllers' with the scheduler's role in 'assigning Pods to nodes', or they mistakenly think the controller-manager serves the API because it interacts with the API server.

221
MCQmedium

A development team deploys a microservice that crashes every few minutes. The deployment uses a single replica, and the pod restarts repeatedly. Which Kubernetes feature should be enabled to ensure the service remains available during failures?

A.Move the deployment to a separate namespace
B.Increase the replicas in the Deployment to at least 2
C.Store the application configuration in a ConfigMap
D.Add a readiness probe to the pod
AnswerB

Increasing replicas allows the ReplicaSet to maintain multiple copies, so if one crashes, others still serve traffic.

Why this answer

Increasing the replicas to at least 2 ensures that if one pod crashes, the other replica(s) can continue serving traffic, maintaining availability. With only a single replica, the service becomes unavailable every time the pod restarts. This is the most direct way to provide redundancy and fault tolerance for a stateless microservice.

Exam trap

The trap here is that candidates often confuse health probes (readiness/liveness) with redundancy; while probes help detect and manage unhealthy pods, they do not provide the multiple running instances needed to maintain availability during a crash.

How to eliminate wrong answers

Option A is wrong because moving the deployment to a separate namespace does not affect pod availability or crash recovery; namespaces are for logical isolation, not high availability. Option C is wrong because storing configuration in a ConfigMap decouples configuration from the container image but does not prevent or recover from pod crashes. Option D is wrong because a readiness probe only controls whether a pod receives traffic; it does not keep the service available if the pod crashes—it merely stops sending traffic to an unhealthy pod, but with a single replica, no other pod exists to handle requests.

222
MCQeasy

What is the smallest deployable unit in Kubernetes that can be created, scheduled, and managed?

A.Pod
B.Deployment
C.Node
D.Container
AnswerA

Pods are the atomic unit of deployment in Kubernetes.

Why this answer

A Pod is the smallest deployable unit, encapsulating one or more containers with shared storage and network.

223
MCQmedium

A pod is stuck in 'Pending' state. Which of the following is the MOST likely cause?

A.There are no nodes with enough resources to run the pod
B.The pod has been deleted
C.The container image is invalid
D.The pod's liveness probe is failing
AnswerA

Pending often means the scheduler cannot find a suitable node.

Why this answer

A pod stays pending when it cannot be scheduled to a node, typically due to insufficient resources or node selector issues.

224
Multi-Selectmedium

Which two of the following are responsibilities of the kubelet? (Select TWO.)

Select 2 answers
A.Reporting the node's status to the control plane
B.Implementing network rules for services
C.Assigning pods to nodes based on resource availability
D.Storing cluster state in a key-value store
E.Ensuring that containers are running in a pod as specified
AnswersA, E

The kubelet sends node status updates to the API server.

Why this answer

The kubelet ensures containers are running and healthy, and reports node status. Options A and D are correct.

225
MCQeasy

Which component runs on every worker node and is responsible for ensuring that containers are running in a pod according to the pod specification?

A.kube-scheduler
B.kubelet
C.container runtime
D.kube-proxy
AnswerB

The kubelet ensures containers defined in pod specs are running and healthy.

Why this answer

The kubelet is the primary node agent that ensures containers are running as expected.

← PreviousPage 3 of 6 · 436 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Kubernetes Fundamentals questions.