CCNA Kubernetes Fundamentals Questions

61 of 436 questions · Page 6/6 · Kubernetes Fundamentals · Answers revealed

376
MCQeasy

What is the purpose of a Service in Kubernetes?

A.To provide persistent storage volumes
B.To manage rolling updates of pods
C.To expose a set of pods as a network service with a stable endpoint
D.To store configuration data as key-value pairs
AnswerC

This is the primary purpose of a Service.

Why this answer

A Service provides a stable IP address and DNS name to access a set of pods, enabling load balancing and service discovery.

377
MCQhard

Which Kubernetes resource can be used to assign a pod to a specific node?

A.Node affinity rules in the pod spec
B.A NetworkPolicy
C.A Service account
D.A ConfigMap
AnswerA

Node affinity (requiredDuringSchedulingIgnoredDuringExecution) can force scheduling to specific nodes.

Why this answer

nodeSelector is a simple field in the pod spec that schedules the pod onto nodes with matching labels.

378
Multi-Selectmedium

Which two statements correctly describe etcd in a Kubernetes cluster?

Select 2 answers
A.It is a key-value store that holds cluster configuration and state
B.It runs on every worker node
C.It manages network rules for Services
D.It implements the Kubernetes API
E.It is a critical component that must be backed up regularly
AnswersA, E

Correct.

Why this answer

etcd is a distributed key-value store that stores all cluster state. It is part of the control plane and should be backed up.

379
MCQhard

You have a web application that needs to read configuration from a file and also access a database password. Which combination of resources should you use to manage these configurations securely?

A.Use ConfigMap for configuration file and Secret for database password
B.Use ConfigMap for both
C.Use PersistentVolume for configuration and environment variables for the password
D.Use Secret for both
AnswerA

Separating concerns: ConfigMap for non-sensitive, Secret for sensitive.

Why this answer

ConfigMap is for non-sensitive configuration, Secret is for sensitive data like passwords.

380
MCQmedium

You have a Deployment defined with replicas: 3. You run 'kubectl scale deployment my-deployment --replicas=5'. What happens?

A.The Deployment is updated to have 5 replicas, but existing pods are recreated to match.
B.The command fails because you cannot scale a Deployment directly.
C.The Deployment rolls out a new version with 5 replicas.
D.The Deployment is updated to have 5 replicas, and the ReplicaSet creates 2 additional pods.
AnswerD

Scaling increases the replica count, and the controller creates new pods.

Why this answer

The 'kubectl scale' command changes the desired replica count, and the Deployment controller creates additional pods to match.

381
MCQeasy

Which of the following is the smallest deployable unit in Kubernetes?

A.Service
B.Container
C.Pod
D.Node
AnswerC

A pod is the smallest deployable unit.

Why this answer

A Pod is the smallest and simplest Kubernetes object, representing a group of one or more containers with shared storage/network.

382
MCQmedium

Which API version is correct for a Deployment in modern Kubernetes (v1.29+)?

A.apiVersion: extensions/v1beta1
B.apiVersion: v1
C.apiVersion: apps/v1
D.apiVersion: apps/v1beta2
AnswerC

apps/v1 is the correct stable API version for Deployment.

Why this answer

Deployment is a stable resource since Kubernetes 1.9, and the correct API version is apps/v1.

383
MCQmedium

An administrator runs 'kubectl get pods' and sees that a pod is in 'Pending' state. 'kubectl describe pod' shows the event: '0/4 nodes are available: 1 node had taints that the pod didn't tolerate, 3 nodes had insufficient memory'. What is the most likely issue?

A.The node with the taint has a toleration mismatch.
B.The pod's image pull is failing.
C.The pod's resource requests exceed available memory on three nodes.
D.The pod was evicted due to resource pressure.
AnswerC

Correct; insufficient memory prevents scheduling.

Why this answer

Option C is correct because the scheduler event explicitly states '3 nodes had insufficient memory', which directly indicates that the pod's resource requests (specifically memory) exceed the available allocatable memory on those three nodes. The fourth node is unavailable due to taints, leaving zero schedulable nodes, hence the 'Pending' state.

Exam trap

Cisco often tests the distinction between taint/toleration and resource constraints — candidates mistakenly think the taint is the primary issue, but the event clearly shows only one node is tainted while three have insufficient memory, making resource exhaustion the dominant cause.

How to eliminate wrong answers

Option A is wrong because the event says '1 node had taints that the pod didn't tolerate', which is a taint/toleration mismatch, not a toleration mismatch on the node — the pod lacks the required toleration, not the node. Option B is wrong because image pull failures would appear as 'ErrImagePull' or 'ImagePullBackOff' events in 'kubectl describe pod', not as node availability issues. Option D is wrong because eviction due to resource pressure would result in a 'Terminating' or 'Evicted' status, not 'Pending', and the event would reference eviction, not node availability.

384
MCQeasy

What is the primary purpose of the `kubectl apply` command?

A.To create or update resources from a manifest
B.To view resource details
C.To delete resources
D.To execute commands inside a container
AnswerA

`kubectl apply` creates or updates resources declaratively.

Why this answer

The `kubectl apply` command uses a declarative approach to manage Kubernetes resources. It sends a PATCH request to the API server, which compares the desired state in the provided manifest (YAML/JSON) with the current state of the resource in the cluster. If the resource does not exist, it creates it; if it does exist, it updates only the fields specified in the manifest, preserving any fields not mentioned.

Exam trap

CNCF often tests the confusion between imperative commands (like `kubectl create` or `kubectl run`) and declarative commands (`kubectl apply`), leading candidates to mistakenly think `apply` only creates resources or only updates them, rather than understanding it handles both idempotently.

How to eliminate wrong answers

Option B is wrong because viewing resource details is the purpose of `kubectl get` (to list resources) or `kubectl describe` (to show detailed state), not `kubectl apply`. Option C is wrong because deleting resources is done with `kubectl delete`, which sends a DELETE request to the API server, whereas `apply` never removes resources. Option D is wrong because executing commands inside a container is the function of `kubectl exec`, which uses the container runtime's exec API (e.g., via CRI or Docker), not the Kubernetes API for resource management.

385
MCQhard

You have a Pod that is running but not receiving traffic. You suspect the associated Service's selector does not match the Pod labels. Which kubectl command would you use to check the Service's selector?

A.kubectl get endpoints <service-name>
B.kubectl describe service <service-name>
C.kubectl get service <service-name> -o yaml
D.kubectl logs <pod-name>
AnswerB

This shows detailed information including the selector field.

Why this answer

Option B is correct because `kubectl describe service <service-name>` displays the service's selector field under the 'Selector' section, allowing you to directly compare it with the Pod's labels. This is the most straightforward way to verify if the selector matches the Pod labels, which is essential for traffic routing.

Exam trap

CNCF often tests the distinction between checking the selector definition versus checking the resulting endpoints, so candidates may mistakenly choose `kubectl get endpoints` because it shows the current routing status, but it does not reveal the selector itself.

How to eliminate wrong answers

Option A is wrong because `kubectl get endpoints <service-name>` shows the current endpoints (Pod IPs) that the service is routing to, but it does not show the service's selector; it only reveals the result of the selector matching, not the selector itself. Option C is wrong because `kubectl get service <service-name> -o yaml` outputs the full service definition including the selector, but it is more verbose and less direct than `kubectl describe` for quickly checking the selector; however, it is not incorrect per se, but the question asks for the command to check the selector, and `describe` is the standard, concise method. Option D is wrong because `kubectl logs <pod-name>` retrieves the logs from the Pod's containers, which provides application-level output but no information about the service's selector or label matching.

386
Multi-Selecteasy

Which TWO statements about Kubernetes Namespaces are correct?

Select 2 answers
A.Namespaces provide a way to divide cluster resources between multiple users or teams.
B.All Kubernetes resources must be created within a namespace.
C.Namespaces provide network isolation by default.
D.Deleting a namespace will delete all resources in it.
E.Resource quotas can be applied to a namespace to limit total resource consumption.
AnswersA, E

Namespaces enable resource isolation and multi-tenancy.

Why this answer

Option A is correct because Kubernetes Namespaces are a mechanism to partition a single cluster into virtual sub-clusters, enabling multi-tenancy by isolating resources (e.g., Pods, Services) and controlling access via RBAC. This allows different users or teams to work in separate scopes within the same cluster, preventing naming conflicts and enabling resource governance.

Exam trap

CNCF often tests the misconception that Namespaces provide automatic network isolation, but in reality, network policies must be explicitly defined to restrict traffic between namespaces.

387
MCQhard

You are asked to schedule a pod on a node that has SSD storage. Which mechanism should you use to achieve this?

A.Use a resource request for SSD storage capacity
B.Set an annotation on the pod specifying the disk type
C.Add a nodeSelector with a label matching the node, e.g., disktype: ssd
D.Add a toleration for a taint on SSD nodes
AnswerC

nodeSelector ensures the pod is scheduled on nodes with the matching label.

Why this answer

Option C is correct because nodeSelector is the built-in Kubernetes mechanism for constraining a pod to nodes with specific labels. By labeling a node with disktype=ssd and adding that same label selector to the pod spec, the scheduler will only place the pod on nodes that have that label, ensuring it lands on SSD-equipped nodes.

Exam trap

The trap here is that candidates confuse tolerations (which only allow scheduling on tainted nodes) with node selectors (which actively target nodes), leading them to pick D instead of C.

How to eliminate wrong answers

Option A is wrong because resource requests specify minimum CPU/memory capacity, not storage type or node attributes; they cannot select nodes based on disk type. Option B is wrong because annotations are metadata for non-identifying information and are not used by the scheduler for node selection; they have no effect on pod placement. Option D is wrong because tolerations allow pods to be scheduled on tainted nodes but do not actively select nodes; they only permit scheduling on nodes that would otherwise repel the pod, without guaranteeing the node has SSD storage.

388
Multi-Selecteasy

Which TWO of the following are responsibilities of the kube-controller-manager? (Select 2)

Select 2 answers
A.Ensuring the desired number of pod replicas are running
B.Implementing service networking rules
C.Storing the cluster state
D.Detecting node failures and reacting
E.Scheduling pods onto nodes
AnswersA, D

The Replication Controller ensures the correct replica count.

Why this answer

The kube-controller-manager runs controllers that handle node lifecycle (Node Controller) and ensure the correct number of pods are running (Replication Controller).

389
MCQmedium

You need to store a database password securely and make it available to a Pod as an environment variable. Which Kubernetes resource should you create?

A.Secret
B.PersistentVolume
C.ConfigMap
D.ServiceAccount
AnswerA

Secrets store sensitive data like passwords, tokens, and keys.

Why this answer

Secrets are designed to store sensitive data, such as passwords, and can be exposed to Pods via environment variables or volumes.

390
MCQeasy

Which kubectl command would you use to view detailed information about a pod named 'web-pod' in the 'default' namespace?

A.kubectl describe pod web-pod
B.kubectl get pod web-pod
C.kubectl logs web-pod
D.kubectl exec web-pod -- env
AnswerA

This provides detailed status, events, and configuration.

Why this answer

kubectl describe pod provides detailed information including events. kubectl get pod -o yaml outputs YAML, but describe is the standard command for detailed info.

391
MCQeasy

Which Kubernetes control plane component is the entry point for all REST API requests?

A.kube-controller-manager
B.kube-apiserver
C.kube-scheduler
D.etcd
AnswerB

The API server validates and processes REST requests.

Why this answer

kube-apiserver exposes the Kubernetes API and handles all API requests.

392
MCQmedium

A pod is stuck in Pending state. Which of the following is the MOST likely reason?

A.There are insufficient resources on any available node
B.The pod is still being initialized
C.The container image is missing
D.The pod has crashed and is restarting
AnswerA

The scheduler cannot find a node with enough CPU/memory/ports.

Why this answer

Pending means the pod has not been scheduled to a node, often due to insufficient resources or node constraints.

393
MCQmedium

A developer needs to update a running Deployment's container image from 'nginx:1.21' to 'nginx:1.23' with minimal downtime and the ability to roll back if the new version fails. Which kubectl command should be used?

A.kubectl edit deployment my-deployment
B.kubectl apply -f updated-deployment.yaml
C.kubectl patch deployment my-deployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"nginx","image":"nginx:1.23"}]}}}}'
D.kubectl set image deployment/my-deployment nginx=nginx:1.23
AnswerD

This command updates the image and initiates a rolling update.

Why this answer

'kubectl set image' updates the container image and triggers a rolling update, which is the default update strategy for Deployments.

394
MCQeasy

Which Kubernetes control plane component is responsible for maintaining the desired state of the cluster by running controllers?

A.kube-scheduler
B.etcd
C.kube-controller-manager
D.kube-apiserver
AnswerC

Why this answer

The kube-controller-manager runs controllers that watch the state of the cluster and make changes to drive the current state toward the desired state.

395
MCQmedium

Which component is responsible for ensuring that the containers in a pod are running as specified?

A.kube-apiserver
B.kube-controller-manager
C.kubelet
D.kube-proxy
AnswerC

The kubelet is the primary node agent that runs and maintains containers according to pod specs.

Why this answer

The kubelet on each node communicates with the API server and ensures that the containers described in pod specs are healthy and running.

396
MCQmedium

Which of the following is a way to provide configuration data to a pod without baking it into the container image?

A.Using a ConfigMap
B.Using an annotation
C.Using a Secret
D.Using a PersistentVolume
AnswerA

ConfigMaps store configuration data that can be consumed by pods as environment variables or files.

Why this answer

ConfigMaps allow you to decouple configuration artifacts from image content.

397
Multi-Selecthard

Which TWO of the following are correct about the 'kubectl apply' command compared to 'kubectl create'? (Select exactly two.)

Select 2 answers
A.kubectl apply requires the --save-config flag to record the last-applied-configuration annotation
B.kubectl apply cannot be used on resources that already exist
C.kubectl apply can create objects but not update them
D.kubectl apply can accept a directory of YAML files with -f
E.kubectl apply uses a declarative approach and can update existing objects
AnswersD, E

apply accepts files, directories, and URLs.

Why this answer

kubectl apply uses declarative object management; it creates the object if it doesn't exist, but also updates existing objects by applying the configuration. The -f flag can be a file or directory.

398
Multi-Selectmedium

Which TWO of the following are responsibilities of the kubelet? (Select 2)

Select 2 answers
A.Registering the node with the cluster and reporting node status
B.Ensuring that containers defined in PodSpecs are running and healthy
C.Scheduling pods onto nodes based on resource availability
D.Creating and managing network iptables rules for Services
E.Storing cluster configuration data
AnswersA, B

The kubelet registers the node and periodically reports node status to the API server.

Why this answer

The kubelet is the node agent that ensures containers are running and healthy, and it reports node status to the control plane. kube-proxy handles network rules, and the scheduler assigns pods to nodes.

399
MCQhard

A user reports that they cannot connect to a Service from within the cluster. The Service is of type ClusterIP. Running 'kubectl get endpoints service-name' shows no endpoints. What is the most likely cause?

A.The Service is not associated with a namespace
B.The Service is exposed on the wrong port
C.The kube-proxy is not running on the node
D.The Service's pod selector does not match any running pods
AnswerD

Endpoints are created by matching pods with the selector; if none match, endpoints are empty.

Why this answer

If endpoints are empty, the Service selector does not match any pods, or the pods are not ready.

400
MCQmedium

You need to store a database password securely and expose it to a Pod as an environment variable. Which Kubernetes resource should you use?

A.Service
B.PersistentVolumeClaim
C.Secret
D.ConfigMap
AnswerC

Secrets store sensitive data, such as passwords, and can be injected into Pods as environment variables or volumes.

Why this answer

Option C is correct. Secrets are designed to store sensitive data like passwords and can be exposed as environment variables or mounted as volumes. ConfigMaps are for non-sensitive configuration.

PersistentVolumeClaims are for storage. A Service does not store configuration.

401
MCQmedium

A developer needs to deploy a stateless application with three replicas and ensure that updates are rolled out with zero downtime. Which Kubernetes resource is most appropriate?

A.Deployment
B.StatefulSet
C.Job
D.DaemonSet
AnswerA

Deployment manages ReplicaSets and supports rolling updates.

Why this answer

A Deployment manages ReplicaSets and supports declarative rolling updates, making it ideal for stateless applications.

402
Multi-Selecteasy

Which two statements about Pods are true? (Select TWO)

Select 2 answers
A.A Pod can only contain one container
B.Containers in the same Pod share the same network namespace
C.A Pod is automatically recreated if its Node fails
D.A Pod is the smallest deployable unit in Kubernetes
E.Pods are always created directly by users
AnswersB, D

They share the same IP and port space, and can communicate via localhost.

Why this answer

A Pod is the smallest deployable unit in Kubernetes and can contain one or more containers that share the same network namespace. Containers in a Pod share the same IP and port space.

403
MCQeasy

Which kubectl command would you use to view the detailed state of a pod named 'web-pod' in the 'default' namespace?

A.kubectl logs web-pod
B.kubectl get pod web-pod
C.kubectl describe pod web-pod
D.kubectl exec web-pod -- /bin/sh
AnswerC

Correct. 'kubectl describe' gives detailed information including events.

Why this answer

Option C is correct because `kubectl describe pod web-pod` retrieves a detailed, multi-section view of the pod's current state, including events, conditions, container statuses, and resource usage. This command is specifically designed for deep inspection of a Kubernetes resource, unlike `kubectl get` which shows a summary, or `kubectl logs` which shows container output.

Exam trap

The trap here is that candidates confuse `kubectl get` (which shows a summary) with `kubectl describe` (which shows detailed state), especially when the question asks for 'detailed state' — CNCF often tests this distinction by making the summary command look plausible at first glance.

How to eliminate wrong answers

Option A is wrong because `kubectl logs web-pod` fetches the stdout/stderr logs from the pod's containers, not the pod's detailed state or configuration. Option B is wrong because `kubectl get pod web-pod` outputs a concise, one-line summary of the pod (name, ready status, restarts, age) without the detailed events, conditions, or container-level information. Option D is wrong because `kubectl exec web-pod -- /bin/sh` opens an interactive shell inside the pod's primary container, which is used for debugging or running commands inside the container, not for viewing the pod's state.

404
MCQeasy

A developer creates a pod that needs to securely access a database password stored in the cluster. Which Kubernetes resource should be used to inject the password as an environment variable?

A.Secret
B.ServiceAccount
C.ConfigMap
D.PersistentVolumeClaim
AnswerA

Correct; Secrets store sensitive data like passwords.

Why this answer

A Secret is the correct Kubernetes resource for injecting sensitive data like a database password into a Pod as an environment variable. Secrets store base64-encoded data and are designed specifically for confidential information, unlike ConfigMaps which store non-sensitive configuration. When mounted as environment variables, Secrets ensure the password is not exposed in plaintext in the Pod specification or image layers.

Exam trap

CNCF often tests the distinction between ConfigMaps and Secrets, trapping candidates who assume ConfigMaps can handle sensitive data because both resources can inject environment variables, but Secrets are the only secure choice for passwords.

How to eliminate wrong answers

Option B (ServiceAccount) is wrong because a ServiceAccount provides an identity for Pods to authenticate to the Kubernetes API server, not a mechanism to store or inject sensitive data like passwords. Option C (ConfigMap) is wrong because ConfigMaps are intended for non-sensitive configuration data; storing a password in a ConfigMap would violate security best practices and expose the secret in plaintext. Option D (PersistentVolumeClaim) is wrong because a PVC is used to request storage resources from a PersistentVolume, not to inject environment variables or store secrets.

405
MCQmedium

You have a Deployment named 'web-app' with 3 replicas. You need to scale it to 5 replicas. Which kubectl command should you use?

A.kubectl create deployment web-app --replicas=5
B.kubectl scale deployment web-app --replicas=5
C.kubectl edit deployment web-app --replicas=5
D.kubectl describe deployment web-app
AnswerB

The scale command changes the replica count of the deployment.

Why this answer

Option C is correct. 'kubectl scale deployment web-app --replicas=5' is the correct command to change the number of replicas. Option A is for creating resources, Option B inspects resources, and Option D edits the resource, but the scale command is more direct.

406
Multi-Selecteasy

Which TWO of the following are responsibilities of the kubelet on a worker node?

Select 2 answers
A.Storing cluster state in etcd
B.Scheduling Pods onto the node
C.Implementing network rules for Services
D.Ensuring containers are running as specified in the PodSpec
E.Registering the node with the control plane
AnswersD, E

kubelet is the primary node agent that manages containers.

Why this answer

The kubelet is the primary node agent that runs on each worker node. Its core responsibility is to ensure that containers are running and healthy as defined by the PodSpec, which it receives from the API server. It does this by interacting with the container runtime (e.g., containerd or CRI-O) to start, stop, and monitor containers.

Exam trap

The trap here is that candidates often confuse the kubelet's role with that of kube-proxy or the scheduler, especially because the kubelet does interact with the API server and manages Pod lifecycle, but it does not perform scheduling or network rule enforcement.

407
MCQhard

A Pod is in 'CrashLoopBackOff' state. You run 'kubectl logs <pod>' and see an error that the application cannot bind to port 8080 because the port is already in use. What is the most likely cause?

A.The container's health check is misconfigured
B.The container runtime is not installed
C.The Pod's resource limits are too low
D.Another process inside the container is already using port 8080
AnswerD

If the application or another process occupies the port, the app cannot bind.

Why this answer

CrashLoopBackOff means the container keeps crashing. The error indicates a port conflict, often because the application tries to bind to a port already in use inside the container or host.

408
MCQmedium

You have a pod that needs to securely access a database password. Which Kubernetes resource should you use to store the password?

A.ServiceAccount
B.Secret
C.ConfigMap
D.PersistentVolume
AnswerB

Secrets store sensitive data and are base64 encoded.

Why this answer

Secrets are designed to store sensitive information such as passwords, API keys, and certificates. ConfigMaps are for non-sensitive configuration data.

409
Multi-Selecthard

Which three of the following are true about etcd in Kubernetes?

Select 3 answers
A.etcd stores all cluster state, including Pods, ConfigMaps, and Secrets
B.etcd is a relational database
C.etcd is a distributed, consistent key-value store
D.etcd can be used as a message queue
E.etcd supports watches to monitor changes to keys
AnswersA, C, E

etcd is the backing store for all cluster data.

Why this answer

Option A is correct because etcd is the primary datastore for Kubernetes, storing all cluster state including objects like Pods, ConfigMaps, and Secrets. This ensures that the Kubernetes API server has a consistent, authoritative source of truth for the entire cluster.

Exam trap

The trap here is that candidates may confuse etcd's watch functionality with message queuing, or incorrectly assume that any database with key-value storage is relational, leading them to select options B or D.

410
Multi-Selectmedium

Which TWO statements about Kubernetes Services are correct?

Select 2 answers
A.A Service can expose only one container port
B.A Service can only route traffic to pods on the same node as the Service
C.The default Service type is ClusterIP
D.A Service provides a stable IP address and DNS name for a set of pods
E.A Service of type NodePort exposes the service only on the node where the pod is running
AnswersC, D

If no type is specified, ClusterIP is used.

Why this answer

Option C is correct because the default Service type in Kubernetes is ClusterIP, which exposes the Service on a cluster-internal IP address. This means the Service is only reachable from within the cluster, providing a stable internal endpoint for pod-to-pod communication without external exposure.

Exam trap

Cisco often tests the misconception that a Service can only expose one port or that NodePort is node-specific, when in fact multiple ports are supported and NodePort opens the port on every node in the cluster.

411
MCQmedium

What is the function of kube-proxy on a worker node?

A.It ensures the desired number of pods are running
B.It runs the container runtime
C.It reports node status to the control plane
D.It implements part of the Kubernetes Service concept by managing network rules
AnswerD

kube-proxy handles IP tables/IPVS rules for service load balancing.

Why this answer

kube-proxy maintains network rules to enable communication to services from inside or outside the cluster.

412
MCQhard

A pod has resource requests set to 'cpu: 500m' and 'memory: 256Mi'. The node has 2 CPU cores and 4Gi memory. How many pods with the same resource requests can be scheduled on that node, assuming no other pods?

A.2
B.4
C.8
D.16
AnswerB

CPU is the bottleneck; 2000m / 500m = 4.

Why this answer

CPU cores: 2 cores = 2000m. Memory: 4Gi = 4096Mi. For CPU, 2000m / 500m = 4 pods.

For memory, 4096Mi / 256Mi = 16 pods. The limiting factor is CPU, so 4 pods.

413
MCQmedium

You need to securely store a database password for use by a Pod. Which Kubernetes resource should you use?

A.Secret
B.PersistentVolumeClaim
C.ServiceAccount
D.ConfigMap
AnswerA

Secrets are intended for sensitive information.

Why this answer

A Secret is the correct Kubernetes resource for storing sensitive data like database passwords because it encodes the value in base64 and can be mounted as a volume or injected as an environment variable into a Pod. Unlike ConfigMaps, Secrets are designed for confidential information and support optional encryption at rest when enabled in the cluster. This ensures the password is not stored in plaintext in the Pod specification or version control.

Exam trap

CNCF often tests the misconception that ConfigMaps are suitable for all configuration data, including sensitive values, but the KCNA exam expects you to know that Secrets are the dedicated resource for confidential information like passwords and API keys.

How to eliminate wrong answers

Option B (PersistentVolumeClaim) is wrong because it is used to request storage volumes for Pods, not to store sensitive configuration data like passwords. Option C (ServiceAccount) is wrong because it provides an identity for Pods to authenticate with the Kubernetes API server, not a mechanism for storing secrets. Option D (ConfigMap) is wrong because it is intended for non-sensitive configuration data; storing a password in a ConfigMap would expose it in plaintext and violate security best practices.

414
Multi-Selectmedium

Which TWO of the following are characteristics of a Namespace in Kubernetes?

Select 3 answers
A.Namespaces are required for all Kubernetes objects
B.Namespaces provide network isolation by default
C.Resource names must be unique within a namespace, but can be reused across namespaces
D.Namespaces allow multiple virtual clusters within a physical cluster
E.Deleting a namespace deletes all objects inside it
AnswersC, D, E

Namespaces scope resource names.

Why this answer

Option C is correct because Kubernetes enforces uniqueness of resource names only within the same Namespace. This allows you to reuse names like 'my-app' across different Namespaces (e.g., dev and prod), enabling logical separation without naming conflicts.

Exam trap

CNCF often tests the misconception that Namespaces provide built-in network isolation, but in reality, they only offer logical grouping; network segmentation requires explicit NetworkPolicy resources.

415
MCQhard

A pod in the 'default' namespace cannot reach a pod in the 'backend' namespace by service name 'db-service'. Both namespaces exist and the service is running. What is the most likely cause?

A.The pod does not have network policy allowing cross-namespace traffic
B.The service is not exposed on a port
C.The kube-proxy is not running
D.The pod is using the wrong service name format for cross-namespace access
AnswerD

The correct format is 'db-service.backend.svc.cluster.local'.

Why this answer

By default, Kubernetes DNS resolves service names only within the same namespace. To reach a service in another namespace, the fully qualified domain name (FQDN) must be used.

416
MCQhard

A pod in the 'default' namespace has the following YAML snippet: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 What is the effect of the fsGroup field?

A.It restricts the pod to run only on nodes with that group ID.
B.It sets the group ID for any volumes mounted into the pod.
C.It defines the group ID for the pod's service account.
D.It sets the group ID for the container's main process.
AnswerB

fsGroup changes the group ownership of volumes and any files created in them.

Why this answer

fsGroup sets the group ID for the volume (if any) and all files in the volume will be owned by that group. It does not affect the container's primary group.

417
Multi-Selectmedium

Which TWO of the following are valid ways to assign a pod to a specific node?

Select 2 answers
A.nodeSelector
B.affinity: nodeAntiAffinity
C.tolerations
D.nodeName
E.podSelector
AnswersA, D

Node selector uses labels to match nodes.

Why this answer

Option A is correct because `nodeSelector` is a simple, built-in field in the Pod spec that matches the pod to nodes with specific labels. When you add a `nodeSelector` with a key-value pair, the scheduler only places the pod on nodes that have that exact label. This is the most straightforward way to constrain a pod to a subset of nodes.

Exam trap

CNCF often tests the distinction between mechanisms that *constrain* scheduling (like nodeSelector and nodeAffinity) versus mechanisms that *permit* scheduling (like tolerations), and candidates mistakenly think tolerations can force a pod to a specific node when they only allow it to be scheduled on tainted nodes.

418
Multi-Selectmedium

Which two of the following are true about ConfigMaps? (Select TWO.)

Select 3 answers
A.ConfigMaps are automatically encrypted at rest
B.ConfigMaps are namespace-scoped
C.ConfigMaps can hold binary data
D.ConfigMaps can be mounted as volumes or exposed as environment variables
E.ConfigMaps are used to store non-sensitive configuration data
AnswersB, D, E

ConfigMaps belong to a namespace and are not cluster-wide.

Why this answer

ConfigMaps are namespace-scoped objects, meaning they exist within a specific Kubernetes namespace and can only be referenced by Pods in that same namespace. This is a fundamental property of most Kubernetes resources, ensuring isolation and organization of configuration data across different environments or teams within a cluster.

Exam trap

CNCF often tests the distinction between ConfigMaps and Secrets, specifically that ConfigMaps are for non-sensitive, plaintext data and are not encrypted by default, while Secrets are intended for sensitive data and have optional encryption at rest.

419
MCQhard

You run 'kubectl logs my-pod' and see: "Error from server (BadRequest): container "my-container" in pod "my-pod" is waiting to start: PodInitializing". What does this mean?

A.The container is running but producing no output
B.The container runtime is failing to start the container
C.The container has crashed and is restarting
D.The Pod is in the process of initializing and logs are not yet available
AnswerD

PodInitializing means the container hasn't started yet.

Why this answer

PodInitializing indicates that the Pod is still initializing, e.g., pulling images or running init containers. Logs are not available until the container starts.

420
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete the namespace and redeploy all workloads
B.Increase the memory limit in the pod's container resource specification
C.Increase the CPU request for the container
D.Delete and recreate the pod to clear the crash loop
AnswerB

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

421
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Increase the CPU request for the container
C.Delete the namespace and redeploy all workloads
D.Delete and recreate the pod to clear the crash loop
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The 'OOMKilled' status indicates the pod's container was terminated by the Linux kernel Out-of-Memory (OOM) killer because it exceeded its configured memory limit. Since the pod ran successfully for days, this suggests a gradual memory leak or increased workload demand. Increasing the memory limit in the pod's container resource specification allows the container to use more memory before being killed, directly addressing the root cause.

Exam trap

The trap here is that candidates may confuse 'OOMKilled' with a general crash and choose to delete/recreate the pod, not realizing the memory limit must be adjusted to prevent recurrence.

How to eliminate wrong answers

Option B is wrong because increasing the CPU request does not affect memory consumption or prevent OOM kills; CPU and memory are independent resources in Kubernetes. Option C is wrong because deleting the namespace and redeploying all workloads is an extreme, disruptive action that does not fix the underlying memory limit issue and would cause unnecessary downtime. Option D is wrong because deleting and recreating the pod only restarts the container with the same memory limit, so it will likely be OOMKilled again when memory usage spikes.

422
MCQmedium

Which of the following is NOT a responsibility of the kubelet on a worker node?

A.Performing liveness and readiness probes
B.Starting and stopping containers based on PodSpecs
C.Implementing network rules for Services
D.Reporting node and pod status to the control plane
AnswerC

Network rules and service load balancing are handled by kube-proxy, not kubelet.

Why this answer

The kubelet is the primary node agent that runs on each worker node, responsible for ensuring containers are running in a Pod as specified by the PodSpec. It performs liveness and readiness probes, starts and stops containers, and reports node and pod status to the control plane. Implementing network rules for Services, such as iptables or IPVS rules, is the responsibility of the kube-proxy, not the kubelet.

Exam trap

The trap here is that candidates often confuse the kubelet's role with kube-proxy's role, assuming the kubelet handles all networking on the node, including Service traffic routing.

How to eliminate wrong answers

Option A is wrong because the kubelet is responsible for executing liveness and readiness probes against containers and taking action based on their results (e.g., restarting containers). Option B is wrong because the kubelet directly manages container lifecycle by communicating with the container runtime (e.g., containerd, CRI-O) to start and stop containers as defined in the PodSpec. Option D is wrong because the kubelet periodically reports the node's condition and the status of each Pod to the API server via the NodeStatus and PodStatus updates.

423
Multi-Selecteasy

Which TWO components are part of a Kubernetes worker node?

Select 2 answers
A.kubelet
B.kube-scheduler
C.container runtime
D.kube-proxy
E.etcd
AnswersA, D

kubelet runs on each node and ensures containers are running as specified.

Why this answer

The kubelet is the primary node agent that runs on every worker node. It registers the node with the cluster, receives Pod specifications from the API server, and ensures that the containers described in those Pods are running and healthy. Without the kubelet, a node cannot participate in the cluster as a worker.

Exam trap

CNCF often tests the distinction between control plane and worker node components, and the trap here is that candidates mistakenly include the container runtime as a 'Kubernetes component' when it is actually a third-party dependency, or they confuse kube-scheduler as a worker node component because it deals with Pod placement.

424
MCQmedium

What is the role of kube-scheduler in Kubernetes?

A.To assign pods to nodes
B.To run container health checks
C.To store cluster configuration
D.To provide network rules for services
AnswerA

This is the scheduler's primary function.

Why this answer

The kube-scheduler watches for unscheduled pods and assigns them to nodes based on resource availability and constraints.

425
MCQeasy

A Pod has a container that needs to write logs to a file. The administrator wants the logs to persist even if the container restarts. What is the simplest solution?

A.Use a PersistentVolumeClaim for each container.
B.Use a hostPath volume to write logs directly to the node filesystem.
C.Store logs in a ConfigMap.
D.Use an emptyDir volume and mount it at the log path.
AnswerD

emptyDir volumes share the Pod's lifetime and persist across container restarts within the same Pod.

Why this answer

Option D is correct because an emptyDir volume provides a simple, ephemeral storage solution that persists across container restarts within the same Pod. When a container crashes and is restarted by the kubelet, the emptyDir volume's contents remain intact, allowing log files to survive container restarts without requiring external storage or complex configuration.

Exam trap

CNCF often tests the misconception that container restarts always wipe all data, leading candidates to choose persistent storage options like PVCs or hostPath, when in fact emptyDir volumes are specifically designed to survive container restarts within the same Pod.

How to eliminate wrong answers

Option A is wrong because a PersistentVolumeClaim (PVC) is designed for durable, long-term storage that survives Pod deletion and rescheduling, which is overkill for simple log persistence across container restarts and adds unnecessary complexity. Option B is wrong because a hostPath volume ties the Pod to a specific node and poses security risks (e.g., allowing container access to the host filesystem), and it is not the simplest solution for log persistence within a Pod. Option C is wrong because a ConfigMap is intended for storing configuration data (e.g., key-value pairs, small files) and is not designed for dynamic, writable log output; ConfigMaps are read-only when mounted and cannot be written to by containers.

426
MCQmedium

A developer deploys a pod with the following resource specification: ```yaml resources: requests: memory: "256Mi" limits: memory: "512Mi" ``` The pod is killed with OOMKilled. What is the most likely cause?

A.The container exceeded the memory request of 256Mi
B.The node ran out of memory
C.The CPU limit was too low
D.The container exceeded the memory limit of 512Mi
AnswerD

OOMKilled indicates the container exceeded its memory limit.

Why this answer

The OOMKilled exit code indicates the container was terminated by the Linux kernel's Out-Of-Memory (OOM) killer because it attempted to use more memory than its configured limit of 512Mi. Kubernetes enforces memory limits using cgroups; when the container exceeds the limit, the kernel kills the process, resulting in the OOMKilled status.

Exam trap

CNCF often tests the distinction between requests and limits, trapping candidates who think exceeding a request causes termination, when in fact only exceeding the limit triggers OOMKilled.

How to eliminate wrong answers

Option A is wrong because exceeding the memory request of 256Mi does not cause termination; requests are used for scheduling and guaranteed QoS, not enforcement. Option B is wrong because node memory exhaustion would cause the node to evict pods or the OOM killer to target pods, but the pod's explicit memory limit is the direct cause here, not node-level pressure. Option C is wrong because CPU limits do not cause OOMKilled; CPU is a compressible resource, and exceeding CPU limits results in throttling, not termination.

427
MCQeasy

Which Kubernetes control plane component is the primary entry point for all administrative tasks and serves the Kubernetes API?

A.kube-scheduler
B.kube-controller-manager
C.kube-apiserver
D.etcd
AnswerC

The API server exposes the Kubernetes API and is the primary management entry point.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane and the sole entry point for all administrative operations. It exposes the Kubernetes REST API, validates and processes requests (including authentication, authorization, and admission control), and updates the corresponding objects in etcd. Without the API server, no kubectl command, automation, or internal component communication can occur.

Exam trap

CNCF often tests the misconception that etcd is the primary entry point because it stores all cluster data, but the trap here is that etcd is a data store, not an API endpoint — all interactions must go through the kube-apiserver, which is the only component that communicates directly with etcd.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is responsible only for assigning newly created pods to nodes based on resource requirements and policies, not for serving the API or handling administrative tasks. Option B is wrong because kube-controller-manager runs controller processes (e.g., Node Controller, Replication Controller) that watch the desired state via the API server, but it does not expose an API endpoint itself. Option D is wrong because etcd is a distributed key-value store used as Kubernetes' backing store for all cluster data, but it is not the entry point for administrative tasks and does not serve the Kubernetes API.

428
MCQeasy

Which component of the Kubernetes control plane stores the cluster state?

A.etcd
B.kube-controller-manager
C.kube-scheduler
D.kube-apiserver
AnswerA

etcd is the key-value store for cluster state.

Why this answer

etcd is a distributed key-value store that persists the entire cluster configuration and state.

429
MCQeasy

Which Kubernetes control plane component is responsible for storing the cluster state and configuration data?

A.kube-controller-manager
B.etcd
C.kube-apiserver
D.kube-scheduler
AnswerB

etcd is the key-value store used to persist all cluster data and configuration.

Why this answer

Option D is correct. etcd is a distributed key-value store that holds the cluster state and configuration. kube-apiserver exposes the API, kube-scheduler assigns pods to nodes, and kube-controller-manager runs controllers.

430
Multi-Selectmedium

Which TWO of the following are responsibilities of the kube-controller-manager?

Select 2 answers
A.Assigning pods to nodes based on resource requirements
B.Ensuring the correct number of pod replicas are running
C.Implementing network rules for Services
D.Monitoring node health and responding to node failures
E.Storing the cluster state
AnswersB, D

The Replication Controller ensures the desired number of replicas.

Why this answer

The kube-controller-manager runs controller processes that regulate the state of the cluster. The ReplicaSet controller, which runs inside the kube-controller-manager, is responsible for ensuring that the desired number of pod replicas are running at all times, creating or deleting pods as necessary to match the specified replica count.

Exam trap

The trap here is that candidates often confuse the kube-controller-manager's role in node health monitoring with the kube-scheduler's role in pod placement, or they mistakenly think the controller-manager handles network rules, which is actually done by kube-proxy.

431
MCQmedium

A Deployment is configured with 'replicas: 4' and 'strategy.type: RollingUpdate'. You update the container image. What behavior does the Deployment exhibit?

A.The Deployment creates 8 Pods total, 4 old and 4 new
B.All 4 Pods are deleted immediately and then 4 new Pods are created
C.New Pods are created before old ones are terminated, one at a time
D.The update is paused until manually resumed
AnswerC

RollingUpdate replaces Pods incrementally.

Why this answer

With a RollingUpdate strategy, the Deployment controller replaces old Pods with new ones incrementally to ensure zero downtime. By default, it creates new Pods before terminating old ones (maxSurge=25%, maxUnavailable=25%), so one new Pod is created first, then one old Pod is terminated, repeating until all 4 Pods run the new image.

Exam trap

The trap here is that candidates confuse RollingUpdate with Recreate (Option B) or assume all Pods are replaced simultaneously (Option A), failing to recognize the incremental, surge-based behavior controlled by maxSurge and maxUnavailable defaults.

How to eliminate wrong answers

Option A is wrong because a RollingUpdate does not create 8 Pods simultaneously; it creates at most 1 extra Pod (maxSurge=25% of 4 = 1) beyond the desired 4, so the total is 5, not 8. Option B is wrong because deleting all Pods immediately is a Recreate strategy, not RollingUpdate, which would cause downtime. Option D is wrong because the update is not paused; a paused update requires explicitly setting 'paused: true' in the Deployment spec, which is not mentioned in the question.

432
MCQmedium

Your application requires persistent storage that must be available across pod restarts and rescheduling. What is the recommended approach?

A.Store data in the container's writable layer
B.Use hostPath volume
C.Use an emptyDir volume
D.Use a PersistentVolumeClaim (PVC) and mount it into the pod
AnswerD

PVCs provide durable storage that persists beyond pod restarts.

Why this answer

PersistentVolumeClaims (PVCs) request storage from PersistentVolumes (PVs), which are cluster resources that provide durable storage independent of pod lifecycle.

433
MCQmedium

You want to update a Deployment's container image to v2 and perform a rolling update. Which kubectl command achieves this?

A.kubectl update deployment my-deployment --image=myapp:v2
B.kubectl replace -f updated-deployment.yaml
C.kubectl patch deployment my-deployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"my-container","image":"myapp:v2"}]}}}}'
D.kubectl set image deployment/my-deployment my-container=myapp:v2 --record
AnswerD

Why this answer

Option D is correct because `kubectl set image deployment/my-deployment my-container=myapp:v2 --record` directly updates the container image of a specified container within a Deployment and triggers a rolling update by default. The `--record` flag annotates the change for audit history, which is useful for tracking rollouts. This command is the standard imperative approach for updating container images in Kubernetes Deployments.

Exam trap

CNCF often tests the distinction between imperative commands like `kubectl set image` and declarative approaches like `kubectl apply` or `kubectl replace`, and candidates may mistakenly choose `kubectl patch` or an invalid command like `kubectl update` due to familiarity with other orchestrators or confusion about the correct imperative syntax.

How to eliminate wrong answers

Option A is wrong because `kubectl update` is not a valid kubectl command; the correct imperative command for updating a Deployment's image is `kubectl set image`. Option B is wrong because `kubectl replace -f updated-deployment.yaml` performs a full replacement of the Deployment object, which is a declarative approach that does not inherently trigger a rolling update; it replaces the entire resource definition, potentially causing downtime if not managed carefully. Option C is wrong because while `kubectl patch` can update the container image, it requires a complex JSON patch and does not automatically trigger a rolling update unless the patch modifies the pod template spec; however, it is less straightforward and not the recommended imperative command for this specific task.

434
MCQmedium

A Service of type ClusterIP is created to expose a set of pods. How does the Service achieve load balancing to the pods?

A.The API server routes traffic directly to the pods
B.The kube-proxy component on each node sets up network rules to forward traffic to the pods
C.The kubelet configures the container runtime to route traffic
D.Using a cloud load balancer
AnswerB

kube-proxy handles the implementation of ClusterIP Services.

Why this answer

kube-proxy on each node implements the Service by setting up iptables or IPVS rules to distribute traffic to the endpoints.

435
Multi-Selectmedium

Which two of the following are Kubernetes controllers that run inside the kube-controller-manager? (Select TWO)

Select 2 answers
A.kubelet
B.Replication controller
C.etcd
D.Node controller
E.kube-scheduler
AnswersB, D

Ensures correct number of pod replicas.

Why this answer

Node controller and Replication controller are part of the controller-manager. The scheduler is a separate component. kubelet is a node agent, not a controller.

436
Multi-Selectmedium

Which TWO of the following are valid methods for exposing a Service externally?

Select 2 answers
A.ExternalName
B.Ingress
C.LoadBalancer
D.ClusterIP
E.NodePort
AnswersC, E

LoadBalancer provisions an external load balancer.

Why this answer

Option C (LoadBalancer) is correct because it provisions an external load balancer (e.g., AWS ELB, GCP TCP LB) that assigns a public IP address to the Service, making it accessible from outside the cluster. Option E (NodePort) is correct because it exposes the Service on a static port (30000–32767) on every Node's IP, allowing external traffic to reach the Service via `<NodeIP>:<NodePort>`. Both are valid Service types in Kubernetes for external exposure.

Exam trap

The trap here is that candidates often confuse Ingress as a Service type or think ExternalName provides external access, when in fact Ingress is a separate resource and ExternalName is purely a DNS alias with no proxying or port exposure.

← PreviousPage 6 of 6 · 436 questions total

Ready to test yourself?

Try a timed practice session using only Kubernetes Fundamentals questions.