What is the purpose of a Service in Kubernetes?
This is the primary purpose of a Service.
Why this answer
A Service provides a stable IP address and DNS name to access a set of pods, enabling load balancing and service discovery.
61 of 436 questions · Page 6/6 · Kubernetes Fundamentals · Answers revealed
What is the purpose of a Service in Kubernetes?
This is the primary purpose of a Service.
Why this answer
A Service provides a stable IP address and DNS name to access a set of pods, enabling load balancing and service discovery.
Which Kubernetes resource can be used to assign a pod to a specific node?
Node affinity (requiredDuringSchedulingIgnoredDuringExecution) can force scheduling to specific nodes.
Why this answer
nodeSelector is a simple field in the pod spec that schedules the pod onto nodes with matching labels.
Which two statements correctly describe etcd in a Kubernetes cluster?
Correct.
Why this answer
etcd is a distributed key-value store that stores all cluster state. It is part of the control plane and should be backed up.
You have a web application that needs to read configuration from a file and also access a database password. Which combination of resources should you use to manage these configurations securely?
Separating concerns: ConfigMap for non-sensitive, Secret for sensitive.
Why this answer
ConfigMap is for non-sensitive configuration, Secret is for sensitive data like passwords.
You have a Deployment defined with replicas: 3. You run 'kubectl scale deployment my-deployment --replicas=5'. What happens?
Scaling increases the replica count, and the controller creates new pods.
Why this answer
The 'kubectl scale' command changes the desired replica count, and the Deployment controller creates additional pods to match.
Which of the following is the smallest deployable unit in Kubernetes?
A pod is the smallest deployable unit.
Why this answer
A Pod is the smallest and simplest Kubernetes object, representing a group of one or more containers with shared storage/network.
Which API version is correct for a Deployment in modern Kubernetes (v1.29+)?
apps/v1 is the correct stable API version for Deployment.
Why this answer
Deployment is a stable resource since Kubernetes 1.9, and the correct API version is apps/v1.
An administrator runs 'kubectl get pods' and sees that a pod is in 'Pending' state. 'kubectl describe pod' shows the event: '0/4 nodes are available: 1 node had taints that the pod didn't tolerate, 3 nodes had insufficient memory'. What is the most likely issue?
Correct; insufficient memory prevents scheduling.
Why this answer
Option C is correct because the scheduler event explicitly states '3 nodes had insufficient memory', which directly indicates that the pod's resource requests (specifically memory) exceed the available allocatable memory on those three nodes. The fourth node is unavailable due to taints, leaving zero schedulable nodes, hence the 'Pending' state.
Exam trap
Cisco often tests the distinction between taint/toleration and resource constraints — candidates mistakenly think the taint is the primary issue, but the event clearly shows only one node is tainted while three have insufficient memory, making resource exhaustion the dominant cause.
How to eliminate wrong answers
Option A is wrong because the event says '1 node had taints that the pod didn't tolerate', which is a taint/toleration mismatch, not a toleration mismatch on the node — the pod lacks the required toleration, not the node. Option B is wrong because image pull failures would appear as 'ErrImagePull' or 'ImagePullBackOff' events in 'kubectl describe pod', not as node availability issues. Option D is wrong because eviction due to resource pressure would result in a 'Terminating' or 'Evicted' status, not 'Pending', and the event would reference eviction, not node availability.
What is the primary purpose of the `kubectl apply` command?
`kubectl apply` creates or updates resources declaratively.
Why this answer
The `kubectl apply` command uses a declarative approach to manage Kubernetes resources. It sends a PATCH request to the API server, which compares the desired state in the provided manifest (YAML/JSON) with the current state of the resource in the cluster. If the resource does not exist, it creates it; if it does exist, it updates only the fields specified in the manifest, preserving any fields not mentioned.
Exam trap
CNCF often tests the confusion between imperative commands (like `kubectl create` or `kubectl run`) and declarative commands (`kubectl apply`), leading candidates to mistakenly think `apply` only creates resources or only updates them, rather than understanding it handles both idempotently.
How to eliminate wrong answers
Option B is wrong because viewing resource details is the purpose of `kubectl get` (to list resources) or `kubectl describe` (to show detailed state), not `kubectl apply`. Option C is wrong because deleting resources is done with `kubectl delete`, which sends a DELETE request to the API server, whereas `apply` never removes resources. Option D is wrong because executing commands inside a container is the function of `kubectl exec`, which uses the container runtime's exec API (e.g., via CRI or Docker), not the Kubernetes API for resource management.
You have a Pod that is running but not receiving traffic. You suspect the associated Service's selector does not match the Pod labels. Which kubectl command would you use to check the Service's selector?
This shows detailed information including the selector field.
Why this answer
Option B is correct because `kubectl describe service <service-name>` displays the service's selector field under the 'Selector' section, allowing you to directly compare it with the Pod's labels. This is the most straightforward way to verify if the selector matches the Pod labels, which is essential for traffic routing.
Exam trap
CNCF often tests the distinction between checking the selector definition versus checking the resulting endpoints, so candidates may mistakenly choose `kubectl get endpoints` because it shows the current routing status, but it does not reveal the selector itself.
How to eliminate wrong answers
Option A is wrong because `kubectl get endpoints <service-name>` shows the current endpoints (Pod IPs) that the service is routing to, but it does not show the service's selector; it only reveals the result of the selector matching, not the selector itself. Option C is wrong because `kubectl get service <service-name> -o yaml` outputs the full service definition including the selector, but it is more verbose and less direct than `kubectl describe` for quickly checking the selector; however, it is not incorrect per se, but the question asks for the command to check the selector, and `describe` is the standard, concise method. Option D is wrong because `kubectl logs <pod-name>` retrieves the logs from the Pod's containers, which provides application-level output but no information about the service's selector or label matching.
Which TWO statements about Kubernetes Namespaces are correct?
Namespaces enable resource isolation and multi-tenancy.
Why this answer
Option A is correct because Kubernetes Namespaces are a mechanism to partition a single cluster into virtual sub-clusters, enabling multi-tenancy by isolating resources (e.g., Pods, Services) and controlling access via RBAC. This allows different users or teams to work in separate scopes within the same cluster, preventing naming conflicts and enabling resource governance.
Exam trap
CNCF often tests the misconception that Namespaces provide automatic network isolation, but in reality, network policies must be explicitly defined to restrict traffic between namespaces.
You are asked to schedule a pod on a node that has SSD storage. Which mechanism should you use to achieve this?
nodeSelector ensures the pod is scheduled on nodes with the matching label.
Why this answer
Option C is correct because nodeSelector is the built-in Kubernetes mechanism for constraining a pod to nodes with specific labels. By labeling a node with disktype=ssd and adding that same label selector to the pod spec, the scheduler will only place the pod on nodes that have that label, ensuring it lands on SSD-equipped nodes.
Exam trap
The trap here is that candidates confuse tolerations (which only allow scheduling on tainted nodes) with node selectors (which actively target nodes), leading them to pick D instead of C.
How to eliminate wrong answers
Option A is wrong because resource requests specify minimum CPU/memory capacity, not storage type or node attributes; they cannot select nodes based on disk type. Option B is wrong because annotations are metadata for non-identifying information and are not used by the scheduler for node selection; they have no effect on pod placement. Option D is wrong because tolerations allow pods to be scheduled on tainted nodes but do not actively select nodes; they only permit scheduling on nodes that would otherwise repel the pod, without guaranteeing the node has SSD storage.
Which TWO of the following are responsibilities of the kube-controller-manager? (Select 2)
The Replication Controller ensures the correct replica count.
Why this answer
The kube-controller-manager runs controllers that handle node lifecycle (Node Controller) and ensure the correct number of pods are running (Replication Controller).
You need to store a database password securely and make it available to a Pod as an environment variable. Which Kubernetes resource should you create?
Secrets store sensitive data like passwords, tokens, and keys.
Why this answer
Secrets are designed to store sensitive data, such as passwords, and can be exposed to Pods via environment variables or volumes.
Which kubectl command would you use to view detailed information about a pod named 'web-pod' in the 'default' namespace?
This provides detailed status, events, and configuration.
Why this answer
kubectl describe pod provides detailed information including events. kubectl get pod -o yaml outputs YAML, but describe is the standard command for detailed info.
Which Kubernetes control plane component is the entry point for all REST API requests?
The API server validates and processes REST requests.
Why this answer
kube-apiserver exposes the Kubernetes API and handles all API requests.
A pod is stuck in Pending state. Which of the following is the MOST likely reason?
The scheduler cannot find a node with enough CPU/memory/ports.
Why this answer
Pending means the pod has not been scheduled to a node, often due to insufficient resources or node constraints.
A developer needs to update a running Deployment's container image from 'nginx:1.21' to 'nginx:1.23' with minimal downtime and the ability to roll back if the new version fails. Which kubectl command should be used?
This command updates the image and initiates a rolling update.
Why this answer
'kubectl set image' updates the container image and triggers a rolling update, which is the default update strategy for Deployments.
Which Kubernetes control plane component is responsible for maintaining the desired state of the cluster by running controllers?
Why this answer
The kube-controller-manager runs controllers that watch the state of the cluster and make changes to drive the current state toward the desired state.
Which component is responsible for ensuring that the containers in a pod are running as specified?
The kubelet is the primary node agent that runs and maintains containers according to pod specs.
Why this answer
The kubelet on each node communicates with the API server and ensures that the containers described in pod specs are healthy and running.
Which of the following is a way to provide configuration data to a pod without baking it into the container image?
ConfigMaps store configuration data that can be consumed by pods as environment variables or files.
Why this answer
ConfigMaps allow you to decouple configuration artifacts from image content.
Which TWO of the following are correct about the 'kubectl apply' command compared to 'kubectl create'? (Select exactly two.)
apply accepts files, directories, and URLs.
Why this answer
kubectl apply uses declarative object management; it creates the object if it doesn't exist, but also updates existing objects by applying the configuration. The -f flag can be a file or directory.
Which TWO of the following are responsibilities of the kubelet? (Select 2)
The kubelet registers the node and periodically reports node status to the API server.
Why this answer
The kubelet is the node agent that ensures containers are running and healthy, and it reports node status to the control plane. kube-proxy handles network rules, and the scheduler assigns pods to nodes.
A user reports that they cannot connect to a Service from within the cluster. The Service is of type ClusterIP. Running 'kubectl get endpoints service-name' shows no endpoints. What is the most likely cause?
Endpoints are created by matching pods with the selector; if none match, endpoints are empty.
Why this answer
If endpoints are empty, the Service selector does not match any pods, or the pods are not ready.
You need to store a database password securely and expose it to a Pod as an environment variable. Which Kubernetes resource should you use?
Secrets store sensitive data, such as passwords, and can be injected into Pods as environment variables or volumes.
Why this answer
Option C is correct. Secrets are designed to store sensitive data like passwords and can be exposed as environment variables or mounted as volumes. ConfigMaps are for non-sensitive configuration.
PersistentVolumeClaims are for storage. A Service does not store configuration.
A developer needs to deploy a stateless application with three replicas and ensure that updates are rolled out with zero downtime. Which Kubernetes resource is most appropriate?
Deployment manages ReplicaSets and supports rolling updates.
Why this answer
A Deployment manages ReplicaSets and supports declarative rolling updates, making it ideal for stateless applications.
Which two statements about Pods are true? (Select TWO)
They share the same IP and port space, and can communicate via localhost.
Why this answer
A Pod is the smallest deployable unit in Kubernetes and can contain one or more containers that share the same network namespace. Containers in a Pod share the same IP and port space.
Which kubectl command would you use to view the detailed state of a pod named 'web-pod' in the 'default' namespace?
Correct. 'kubectl describe' gives detailed information including events.
Why this answer
Option C is correct because `kubectl describe pod web-pod` retrieves a detailed, multi-section view of the pod's current state, including events, conditions, container statuses, and resource usage. This command is specifically designed for deep inspection of a Kubernetes resource, unlike `kubectl get` which shows a summary, or `kubectl logs` which shows container output.
Exam trap
The trap here is that candidates confuse `kubectl get` (which shows a summary) with `kubectl describe` (which shows detailed state), especially when the question asks for 'detailed state' — CNCF often tests this distinction by making the summary command look plausible at first glance.
How to eliminate wrong answers
Option A is wrong because `kubectl logs web-pod` fetches the stdout/stderr logs from the pod's containers, not the pod's detailed state or configuration. Option B is wrong because `kubectl get pod web-pod` outputs a concise, one-line summary of the pod (name, ready status, restarts, age) without the detailed events, conditions, or container-level information. Option D is wrong because `kubectl exec web-pod -- /bin/sh` opens an interactive shell inside the pod's primary container, which is used for debugging or running commands inside the container, not for viewing the pod's state.
A developer creates a pod that needs to securely access a database password stored in the cluster. Which Kubernetes resource should be used to inject the password as an environment variable?
Correct; Secrets store sensitive data like passwords.
Why this answer
A Secret is the correct Kubernetes resource for injecting sensitive data like a database password into a Pod as an environment variable. Secrets store base64-encoded data and are designed specifically for confidential information, unlike ConfigMaps which store non-sensitive configuration. When mounted as environment variables, Secrets ensure the password is not exposed in plaintext in the Pod specification or image layers.
Exam trap
CNCF often tests the distinction between ConfigMaps and Secrets, trapping candidates who assume ConfigMaps can handle sensitive data because both resources can inject environment variables, but Secrets are the only secure choice for passwords.
How to eliminate wrong answers
Option B (ServiceAccount) is wrong because a ServiceAccount provides an identity for Pods to authenticate to the Kubernetes API server, not a mechanism to store or inject sensitive data like passwords. Option C (ConfigMap) is wrong because ConfigMaps are intended for non-sensitive configuration data; storing a password in a ConfigMap would violate security best practices and expose the secret in plaintext. Option D (PersistentVolumeClaim) is wrong because a PVC is used to request storage resources from a PersistentVolume, not to inject environment variables or store secrets.
You have a Deployment named 'web-app' with 3 replicas. You need to scale it to 5 replicas. Which kubectl command should you use?
The scale command changes the replica count of the deployment.
Why this answer
Option C is correct. 'kubectl scale deployment web-app --replicas=5' is the correct command to change the number of replicas. Option A is for creating resources, Option B inspects resources, and Option D edits the resource, but the scale command is more direct.
Which TWO of the following are responsibilities of the kubelet on a worker node?
kubelet is the primary node agent that manages containers.
Why this answer
The kubelet is the primary node agent that runs on each worker node. Its core responsibility is to ensure that containers are running and healthy as defined by the PodSpec, which it receives from the API server. It does this by interacting with the container runtime (e.g., containerd or CRI-O) to start, stop, and monitor containers.
Exam trap
The trap here is that candidates often confuse the kubelet's role with that of kube-proxy or the scheduler, especially because the kubelet does interact with the API server and manages Pod lifecycle, but it does not perform scheduling or network rule enforcement.
A Pod is in 'CrashLoopBackOff' state. You run 'kubectl logs <pod>' and see an error that the application cannot bind to port 8080 because the port is already in use. What is the most likely cause?
If the application or another process occupies the port, the app cannot bind.
Why this answer
CrashLoopBackOff means the container keeps crashing. The error indicates a port conflict, often because the application tries to bind to a port already in use inside the container or host.
You have a pod that needs to securely access a database password. Which Kubernetes resource should you use to store the password?
Secrets store sensitive data and are base64 encoded.
Why this answer
Secrets are designed to store sensitive information such as passwords, API keys, and certificates. ConfigMaps are for non-sensitive configuration data.
Which three of the following are true about etcd in Kubernetes?
etcd is the backing store for all cluster data.
Why this answer
Option A is correct because etcd is the primary datastore for Kubernetes, storing all cluster state including objects like Pods, ConfigMaps, and Secrets. This ensures that the Kubernetes API server has a consistent, authoritative source of truth for the entire cluster.
Exam trap
The trap here is that candidates may confuse etcd's watch functionality with message queuing, or incorrectly assume that any database with key-value storage is relational, leading them to select options B or D.
Which TWO statements about Kubernetes Services are correct?
If no type is specified, ClusterIP is used.
Why this answer
Option C is correct because the default Service type in Kubernetes is ClusterIP, which exposes the Service on a cluster-internal IP address. This means the Service is only reachable from within the cluster, providing a stable internal endpoint for pod-to-pod communication without external exposure.
Exam trap
Cisco often tests the misconception that a Service can only expose one port or that NodePort is node-specific, when in fact multiple ports are supported and NodePort opens the port on every node in the cluster.
What is the function of kube-proxy on a worker node?
kube-proxy handles IP tables/IPVS rules for service load balancing.
Why this answer
kube-proxy maintains network rules to enable communication to services from inside or outside the cluster.
A pod has resource requests set to 'cpu: 500m' and 'memory: 256Mi'. The node has 2 CPU cores and 4Gi memory. How many pods with the same resource requests can be scheduled on that node, assuming no other pods?
CPU is the bottleneck; 2000m / 500m = 4.
Why this answer
CPU cores: 2 cores = 2000m. Memory: 4Gi = 4096Mi. For CPU, 2000m / 500m = 4 pods.
For memory, 4096Mi / 256Mi = 16 pods. The limiting factor is CPU, so 4 pods.
You need to securely store a database password for use by a Pod. Which Kubernetes resource should you use?
Secrets are intended for sensitive information.
Why this answer
A Secret is the correct Kubernetes resource for storing sensitive data like database passwords because it encodes the value in base64 and can be mounted as a volume or injected as an environment variable into a Pod. Unlike ConfigMaps, Secrets are designed for confidential information and support optional encryption at rest when enabled in the cluster. This ensures the password is not stored in plaintext in the Pod specification or version control.
Exam trap
CNCF often tests the misconception that ConfigMaps are suitable for all configuration data, including sensitive values, but the KCNA exam expects you to know that Secrets are the dedicated resource for confidential information like passwords and API keys.
How to eliminate wrong answers
Option B (PersistentVolumeClaim) is wrong because it is used to request storage volumes for Pods, not to store sensitive configuration data like passwords. Option C (ServiceAccount) is wrong because it provides an identity for Pods to authenticate with the Kubernetes API server, not a mechanism for storing secrets. Option D (ConfigMap) is wrong because it is intended for non-sensitive configuration data; storing a password in a ConfigMap would expose it in plaintext and violate security best practices.
Which TWO of the following are characteristics of a Namespace in Kubernetes?
Namespaces scope resource names.
Why this answer
Option C is correct because Kubernetes enforces uniqueness of resource names only within the same Namespace. This allows you to reuse names like 'my-app' across different Namespaces (e.g., dev and prod), enabling logical separation without naming conflicts.
Exam trap
CNCF often tests the misconception that Namespaces provide built-in network isolation, but in reality, they only offer logical grouping; network segmentation requires explicit NetworkPolicy resources.
A pod in the 'default' namespace cannot reach a pod in the 'backend' namespace by service name 'db-service'. Both namespaces exist and the service is running. What is the most likely cause?
The correct format is 'db-service.backend.svc.cluster.local'.
Why this answer
By default, Kubernetes DNS resolves service names only within the same namespace. To reach a service in another namespace, the fully qualified domain name (FQDN) must be used.
A pod in the 'default' namespace has the following YAML snippet: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 What is the effect of the fsGroup field?
fsGroup changes the group ownership of volumes and any files created in them.
Why this answer
fsGroup sets the group ID for the volume (if any) and all files in the volume will be owned by that group. It does not affect the container's primary group.
Which TWO of the following are valid ways to assign a pod to a specific node?
Node selector uses labels to match nodes.
Why this answer
Option A is correct because `nodeSelector` is a simple, built-in field in the Pod spec that matches the pod to nodes with specific labels. When you add a `nodeSelector` with a key-value pair, the scheduler only places the pod on nodes that have that exact label. This is the most straightforward way to constrain a pod to a subset of nodes.
Exam trap
CNCF often tests the distinction between mechanisms that *constrain* scheduling (like nodeSelector and nodeAffinity) versus mechanisms that *permit* scheduling (like tolerations), and candidates mistakenly think tolerations can force a pod to a specific node when they only allow it to be scheduled on tainted nodes.
Which two of the following are true about ConfigMaps? (Select TWO.)
ConfigMaps belong to a namespace and are not cluster-wide.
Why this answer
ConfigMaps are namespace-scoped objects, meaning they exist within a specific Kubernetes namespace and can only be referenced by Pods in that same namespace. This is a fundamental property of most Kubernetes resources, ensuring isolation and organization of configuration data across different environments or teams within a cluster.
Exam trap
CNCF often tests the distinction between ConfigMaps and Secrets, specifically that ConfigMaps are for non-sensitive, plaintext data and are not encrypted by default, while Secrets are intended for sensitive data and have optional encryption at rest.
You run 'kubectl logs my-pod' and see: "Error from server (BadRequest): container "my-container" in pod "my-pod" is waiting to start: PodInitializing". What does this mean?
PodInitializing means the container hasn't started yet.
Why this answer
PodInitializing indicates that the Pod is still initializing, e.g., pulling images or running init containers. Logs are not available until the container starts.
A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?
OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.
Why this answer
Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.
Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.
A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?
OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.
Why this answer
The 'OOMKilled' status indicates the pod's container was terminated by the Linux kernel Out-of-Memory (OOM) killer because it exceeded its configured memory limit. Since the pod ran successfully for days, this suggests a gradual memory leak or increased workload demand. Increasing the memory limit in the pod's container resource specification allows the container to use more memory before being killed, directly addressing the root cause.
Exam trap
The trap here is that candidates may confuse 'OOMKilled' with a general crash and choose to delete/recreate the pod, not realizing the memory limit must be adjusted to prevent recurrence.
How to eliminate wrong answers
Option B is wrong because increasing the CPU request does not affect memory consumption or prevent OOM kills; CPU and memory are independent resources in Kubernetes. Option C is wrong because deleting the namespace and redeploying all workloads is an extreme, disruptive action that does not fix the underlying memory limit issue and would cause unnecessary downtime. Option D is wrong because deleting and recreating the pod only restarts the container with the same memory limit, so it will likely be OOMKilled again when memory usage spikes.
Which of the following is NOT a responsibility of the kubelet on a worker node?
Network rules and service load balancing are handled by kube-proxy, not kubelet.
Why this answer
The kubelet is the primary node agent that runs on each worker node, responsible for ensuring containers are running in a Pod as specified by the PodSpec. It performs liveness and readiness probes, starts and stops containers, and reports node and pod status to the control plane. Implementing network rules for Services, such as iptables or IPVS rules, is the responsibility of the kube-proxy, not the kubelet.
Exam trap
The trap here is that candidates often confuse the kubelet's role with kube-proxy's role, assuming the kubelet handles all networking on the node, including Service traffic routing.
How to eliminate wrong answers
Option A is wrong because the kubelet is responsible for executing liveness and readiness probes against containers and taking action based on their results (e.g., restarting containers). Option B is wrong because the kubelet directly manages container lifecycle by communicating with the container runtime (e.g., containerd, CRI-O) to start and stop containers as defined in the PodSpec. Option D is wrong because the kubelet periodically reports the node's condition and the status of each Pod to the API server via the NodeStatus and PodStatus updates.
Which TWO components are part of a Kubernetes worker node?
kubelet runs on each node and ensures containers are running as specified.
Why this answer
The kubelet is the primary node agent that runs on every worker node. It registers the node with the cluster, receives Pod specifications from the API server, and ensures that the containers described in those Pods are running and healthy. Without the kubelet, a node cannot participate in the cluster as a worker.
Exam trap
CNCF often tests the distinction between control plane and worker node components, and the trap here is that candidates mistakenly include the container runtime as a 'Kubernetes component' when it is actually a third-party dependency, or they confuse kube-scheduler as a worker node component because it deals with Pod placement.
What is the role of kube-scheduler in Kubernetes?
This is the scheduler's primary function.
Why this answer
The kube-scheduler watches for unscheduled pods and assigns them to nodes based on resource availability and constraints.
A Pod has a container that needs to write logs to a file. The administrator wants the logs to persist even if the container restarts. What is the simplest solution?
emptyDir volumes share the Pod's lifetime and persist across container restarts within the same Pod.
Why this answer
Option D is correct because an emptyDir volume provides a simple, ephemeral storage solution that persists across container restarts within the same Pod. When a container crashes and is restarted by the kubelet, the emptyDir volume's contents remain intact, allowing log files to survive container restarts without requiring external storage or complex configuration.
Exam trap
CNCF often tests the misconception that container restarts always wipe all data, leading candidates to choose persistent storage options like PVCs or hostPath, when in fact emptyDir volumes are specifically designed to survive container restarts within the same Pod.
How to eliminate wrong answers
Option A is wrong because a PersistentVolumeClaim (PVC) is designed for durable, long-term storage that survives Pod deletion and rescheduling, which is overkill for simple log persistence across container restarts and adds unnecessary complexity. Option B is wrong because a hostPath volume ties the Pod to a specific node and poses security risks (e.g., allowing container access to the host filesystem), and it is not the simplest solution for log persistence within a Pod. Option C is wrong because a ConfigMap is intended for storing configuration data (e.g., key-value pairs, small files) and is not designed for dynamic, writable log output; ConfigMaps are read-only when mounted and cannot be written to by containers.
A developer deploys a pod with the following resource specification: ```yaml resources: requests: memory: "256Mi" limits: memory: "512Mi" ``` The pod is killed with OOMKilled. What is the most likely cause?
OOMKilled indicates the container exceeded its memory limit.
Why this answer
The OOMKilled exit code indicates the container was terminated by the Linux kernel's Out-Of-Memory (OOM) killer because it attempted to use more memory than its configured limit of 512Mi. Kubernetes enforces memory limits using cgroups; when the container exceeds the limit, the kernel kills the process, resulting in the OOMKilled status.
Exam trap
CNCF often tests the distinction between requests and limits, trapping candidates who think exceeding a request causes termination, when in fact only exceeding the limit triggers OOMKilled.
How to eliminate wrong answers
Option A is wrong because exceeding the memory request of 256Mi does not cause termination; requests are used for scheduling and guaranteed QoS, not enforcement. Option B is wrong because node memory exhaustion would cause the node to evict pods or the OOM killer to target pods, but the pod's explicit memory limit is the direct cause here, not node-level pressure. Option C is wrong because CPU limits do not cause OOMKilled; CPU is a compressible resource, and exceeding CPU limits results in throttling, not termination.
Which Kubernetes control plane component is the primary entry point for all administrative tasks and serves the Kubernetes API?
The API server exposes the Kubernetes API and is the primary management entry point.
Why this answer
The kube-apiserver is the front-end of the Kubernetes control plane and the sole entry point for all administrative operations. It exposes the Kubernetes REST API, validates and processes requests (including authentication, authorization, and admission control), and updates the corresponding objects in etcd. Without the API server, no kubectl command, automation, or internal component communication can occur.
Exam trap
CNCF often tests the misconception that etcd is the primary entry point because it stores all cluster data, but the trap here is that etcd is a data store, not an API endpoint — all interactions must go through the kube-apiserver, which is the only component that communicates directly with etcd.
How to eliminate wrong answers
Option A is wrong because kube-scheduler is responsible only for assigning newly created pods to nodes based on resource requirements and policies, not for serving the API or handling administrative tasks. Option B is wrong because kube-controller-manager runs controller processes (e.g., Node Controller, Replication Controller) that watch the desired state via the API server, but it does not expose an API endpoint itself. Option D is wrong because etcd is a distributed key-value store used as Kubernetes' backing store for all cluster data, but it is not the entry point for administrative tasks and does not serve the Kubernetes API.
Which component of the Kubernetes control plane stores the cluster state?
etcd is the key-value store for cluster state.
Why this answer
etcd is a distributed key-value store that persists the entire cluster configuration and state.
Which Kubernetes control plane component is responsible for storing the cluster state and configuration data?
etcd is the key-value store used to persist all cluster data and configuration.
Why this answer
Option D is correct. etcd is a distributed key-value store that holds the cluster state and configuration. kube-apiserver exposes the API, kube-scheduler assigns pods to nodes, and kube-controller-manager runs controllers.
Which TWO of the following are responsibilities of the kube-controller-manager?
The Replication Controller ensures the desired number of replicas.
Why this answer
The kube-controller-manager runs controller processes that regulate the state of the cluster. The ReplicaSet controller, which runs inside the kube-controller-manager, is responsible for ensuring that the desired number of pod replicas are running at all times, creating or deleting pods as necessary to match the specified replica count.
Exam trap
The trap here is that candidates often confuse the kube-controller-manager's role in node health monitoring with the kube-scheduler's role in pod placement, or they mistakenly think the controller-manager handles network rules, which is actually done by kube-proxy.
A Deployment is configured with 'replicas: 4' and 'strategy.type: RollingUpdate'. You update the container image. What behavior does the Deployment exhibit?
RollingUpdate replaces Pods incrementally.
Why this answer
With a RollingUpdate strategy, the Deployment controller replaces old Pods with new ones incrementally to ensure zero downtime. By default, it creates new Pods before terminating old ones (maxSurge=25%, maxUnavailable=25%), so one new Pod is created first, then one old Pod is terminated, repeating until all 4 Pods run the new image.
Exam trap
The trap here is that candidates confuse RollingUpdate with Recreate (Option B) or assume all Pods are replaced simultaneously (Option A), failing to recognize the incremental, surge-based behavior controlled by maxSurge and maxUnavailable defaults.
How to eliminate wrong answers
Option A is wrong because a RollingUpdate does not create 8 Pods simultaneously; it creates at most 1 extra Pod (maxSurge=25% of 4 = 1) beyond the desired 4, so the total is 5, not 8. Option B is wrong because deleting all Pods immediately is a Recreate strategy, not RollingUpdate, which would cause downtime. Option D is wrong because the update is not paused; a paused update requires explicitly setting 'paused: true' in the Deployment spec, which is not mentioned in the question.
Your application requires persistent storage that must be available across pod restarts and rescheduling. What is the recommended approach?
PVCs provide durable storage that persists beyond pod restarts.
Why this answer
PersistentVolumeClaims (PVCs) request storage from PersistentVolumes (PVs), which are cluster resources that provide durable storage independent of pod lifecycle.
You want to update a Deployment's container image to v2 and perform a rolling update. Which kubectl command achieves this?
Why this answer
Option D is correct because `kubectl set image deployment/my-deployment my-container=myapp:v2 --record` directly updates the container image of a specified container within a Deployment and triggers a rolling update by default. The `--record` flag annotates the change for audit history, which is useful for tracking rollouts. This command is the standard imperative approach for updating container images in Kubernetes Deployments.
Exam trap
CNCF often tests the distinction between imperative commands like `kubectl set image` and declarative approaches like `kubectl apply` or `kubectl replace`, and candidates may mistakenly choose `kubectl patch` or an invalid command like `kubectl update` due to familiarity with other orchestrators or confusion about the correct imperative syntax.
How to eliminate wrong answers
Option A is wrong because `kubectl update` is not a valid kubectl command; the correct imperative command for updating a Deployment's image is `kubectl set image`. Option B is wrong because `kubectl replace -f updated-deployment.yaml` performs a full replacement of the Deployment object, which is a declarative approach that does not inherently trigger a rolling update; it replaces the entire resource definition, potentially causing downtime if not managed carefully. Option C is wrong because while `kubectl patch` can update the container image, it requires a complex JSON patch and does not automatically trigger a rolling update unless the patch modifies the pod template spec; however, it is less straightforward and not the recommended imperative command for this specific task.
A Service of type ClusterIP is created to expose a set of pods. How does the Service achieve load balancing to the pods?
kube-proxy handles the implementation of ClusterIP Services.
Why this answer
kube-proxy on each node implements the Service by setting up iptables or IPVS rules to distribute traffic to the endpoints.
Which two of the following are Kubernetes controllers that run inside the kube-controller-manager? (Select TWO)
Ensures correct number of pod replicas.
Why this answer
Node controller and Replication controller are part of the controller-manager. The scheduler is a separate component. kubelet is a node agent, not a controller.
Which TWO of the following are valid methods for exposing a Service externally?
LoadBalancer provisions an external load balancer.
Why this answer
Option C (LoadBalancer) is correct because it provisions an external load balancer (e.g., AWS ELB, GCP TCP LB) that assigns a public IP address to the Service, making it accessible from outside the cluster. Option E (NodePort) is correct because it exposes the Service on a static port (30000–32767) on every Node's IP, allowing external traffic to reach the Service via `<NodeIP>:<NodePort>`. Both are valid Service types in Kubernetes for external exposure.
Exam trap
The trap here is that candidates often confuse Ingress as a Service type or think ExternalName provides external access, when in fact Ingress is a separate resource and ExternalName is purely a DNS alias with no proxying or port exposure.
Ready to test yourself?
Try a timed practice session using only Kubernetes Fundamentals questions.