CCNA Kcna Container Orchestration Questions

75 of 211 questions · Page 2/3 · Kcna Container Orchestration topic · Answers revealed

76
Multi-Selecthard

Which THREE are valid ways to perform a rolling update of a Deployment in Kubernetes? (Select THREE.)

Select 3 answers
A.Manually delete all pods and let the Deployment recreate them
B.Change the number of replicas
C.Update the container image to a new version
D.Modify the environment variables in the pod spec
E.Edit the deployment's labels
AnswersC, D, E

Changing the image in the Deployment spec triggers a rolling update.

Why this answer

A rolling update can be triggered by updating the container image, changing the image tag, or modifying a label selector (though changing selector is not recommended). Scaling is not an update.

77
MCQmedium

A pod is stuck in the 'Pending' state. You run 'kubectl describe pod mypod' and see the event: '0/3 nodes are available: 1 node had taint that the pod didn't tolerate, 2 Insufficient cpu.' What is the most likely cause?

A.The pod's liveness probe is failing
B.The pod's resource requests exceed available node capacity and a node taint is not tolerated
C.The pod's container runtime is not installed
D.The pod's image pull secret is missing
AnswerB

The events indicate insufficient CPU and an untolerated taint, preventing scheduling.

Why this answer

The pod is in 'Pending' state because the scheduler cannot find a node that meets its requirements. The event '0/3 nodes are available: 1 node had taint that the pod didn't tolerate, 2 Insufficient cpu' directly indicates that the pod's resource requests exceed the available CPU on two nodes, and the remaining node has a taint that the pod does not tolerate. This matches option B: the pod's resource requests exceed available node capacity and a node taint is not tolerated.

Exam trap

The trap here is that candidates may confuse 'Pending' state with post-scheduling issues like probe failures or image pull errors, but the event message explicitly points to scheduling failures (resource insufficiency and taint intolerance), which are the only reasons a pod remains unscheduled.

How to eliminate wrong answers

Option A is wrong because a failing liveness probe would cause the pod to be restarted or marked as 'CrashLoopBackOff', not stuck in 'Pending' — liveness probes only run after the pod is scheduled and started. Option C is wrong because if the container runtime were not installed, the kubelet would report a 'ContainerRuntimeNotReady' condition, and the pod would not even be considered for scheduling; the scheduler would not produce 'Insufficient cpu' events. Option D is wrong because a missing image pull secret would cause an 'ImagePullBackOff' or 'ErrImagePull' error after the pod is scheduled, not a 'Pending' state with resource-related scheduling failures.

78
Multi-Selectmedium

Which TWO statements about containers are true compared to virtual machines? (Select TWO.)

Select 2 answers
A.Containers are more lightweight and start faster than VMs
B.Containers include a full guest operating system
C.Containers are more portable across different environments
D.Containers provide stronger isolation than VMs
E.Containers require a hypervisor to run
AnswersA, C

Because they share the host kernel and do not need to boot an OS, containers are lightweight and start quickly.

Why this answer

Containers share the host OS kernel, making them lightweight and fast to start, and they are more portable because they bundle only the application and its dependencies.

79
Drag & Dropmedium

Drag and drop the steps to update a Kubernetes Secret and ensure Pods use the new value into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Update the Secret, verify, force Pod recreation if needed, wait for new Pods, and verify the new value.

80
MCQmedium

Which command would you run to get a list of all pods in all namespaces?

A.kubectl get pods --namespace=*
B.kubectl get pods --global
C.kubectl get pods --all-namespaces
D.kubectl get pods --include-uninitialized
AnswerC

This lists pods in all namespaces.

Why this answer

Option C is correct because `kubectl get pods --all-namespaces` (or its shorthand `-A`) retrieves pods from every namespace in the cluster. This flag overrides the default behavior of `kubectl get pods`, which only returns pods in the current namespace (usually `default`).

Exam trap

CNCF often tests the misconception that a wildcard or global flag exists for namespace selection, leading candidates to choose `--namespace=*` or `--global` instead of the correct `--all-namespaces` flag.

How to eliminate wrong answers

Option A is wrong because `--namespace=*` is not a valid kubectl syntax; the asterisk wildcard is not supported for namespace selection, and kubectl will return an error. Option B is wrong because `--global` is not a valid kubectl flag; it does not exist and would cause a parsing error. Option D is wrong because `--include-uninitialized` is a deprecated flag that was used in older Kubernetes versions to include pods that had not yet been fully initialized, but it does not affect namespace scope and is no longer supported in recent releases.

81
Multi-Selecthard

Which THREE of the following are key characteristics of microservices architecture?

Select 3 answers
A.Independent deployment of services
B.Decomposition by business capability
C.Single monolithic codebase
D.Shared database schema across services
E.Loose coupling between services
AnswersA, B, E

Each microservice can be deployed independently.

Why this answer

Microservices decompose applications into small, independent services that can be deployed separately and communicate via APIs.

82
MCQhard

You need to deploy an application that requires exactly one pod per cluster node for logging purposes. Which Kubernetes workload resource should you use?

A.DaemonSet
B.Job
C.StatefulSet
D.Deployment
AnswerA

DaemonSet runs a pod on each node.

Why this answer

A DaemonSet ensures that a copy of a pod runs on every node in the cluster, or on a subset of nodes if a node selector is used. This is the correct resource for deploying a logging agent that must be present on each node to collect logs from that node's containers and system components.

Exam trap

The trap here is that candidates often confuse DaemonSet with Deployment, assuming a Deployment with replicas equal to the node count will achieve the same effect, but Deployments do not guarantee one pod per node and can schedule multiple pods on the same node or leave nodes empty.

How to eliminate wrong answers

Option B (Job) is wrong because a Job creates one or more pods that run to completion and then stop, which is unsuitable for a continuously running logging daemon that must persist on every node. Option C (StatefulSet) is wrong because StatefulSet is designed for stateful applications that require stable, unique network identities and persistent storage, not for ensuring one pod per node. Option D (Deployment) is wrong because a Deployment manages replicas across the cluster without guaranteeing that a pod runs on every node; it uses a scheduler to distribute pods based on resource availability, not node coverage.

83
MCQmedium

You need to ensure that a set of pods in a Deployment can be reached by other pods using a stable IP address and DNS name. Which Kubernetes object should you use?

A.Service
B.NetworkPolicy
C.Ingress
D.ConfigMap
AnswerA

A Service provides a stable IP and DNS name for a set of pods.

Why this answer

A Service provides a stable endpoint for a set of pods, with DNS name resolution within the cluster.

84
MCQmedium

What is the role of etcd in a Kubernetes cluster?

A.It serves as the container runtime
B.It stores cluster state and configuration
C.It provides DNS-based service discovery
D.It schedules pods onto nodes
AnswerB

etcd is the cluster's backing store.

Why this answer

etcd is a distributed, consistent key-value store that serves as Kubernetes' primary datastore for all cluster state and configuration data. It stores objects like pods, services, deployments, secrets, and configmaps, and is the source of truth for the entire cluster. The Kubernetes API server is the only component that communicates directly with etcd, ensuring strong consistency via the Raft consensus protocol.

Exam trap

The trap here is that candidates often confuse etcd with the container runtime or the scheduler because all three are essential components, but only etcd is the persistent, consistent store for cluster state, not a runtime or decision-making component.

How to eliminate wrong answers

Option A is wrong because the container runtime (e.g., containerd, CRI-O, or Docker) is responsible for pulling images and running containers, not etcd. Option C is wrong because DNS-based service discovery in Kubernetes is provided by CoreDNS (or kube-dns), which resolves service names to cluster IPs, not by etcd. Option D is wrong because pod scheduling onto nodes is performed by the kube-scheduler, which reads node and pod data from etcd via the API server but does not directly interact with etcd.

85
Drag & Dropmedium

Drag and drop the steps for a rolling update of a Kubernetes Deployment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Change the image, apply, monitor rollout, verify health, and rollback if issues arise.

86
MCQmedium

What is the Open Container Initiative (OCI) responsible for?

A.Certifying Kubernetes administrators
B.Providing a hosted container registry
C.Defining standards for container images and runtimes
D.Managing the Kubernetes source code
AnswerC

OCI oversees the image spec and runtime spec.

Why this answer

The Open Container Initiative (OCI) is a Linux Foundation project that defines open industry standards for container formats and runtimes. Specifically, it maintains the OCI Image Specification (which standardizes the container image format, including layers and configuration) and the OCI Runtime Specification (which defines the lifecycle and interface for container runtimes like runc). This ensures interoperability between different container tools and platforms.

Exam trap

The trap here is that candidates confuse the OCI with the CNCF, assuming the OCI manages Kubernetes or its certification, when in fact the OCI focuses solely on container format and runtime standards, while the CNCF oversees Kubernetes and its ecosystem.

How to eliminate wrong answers

Option A is wrong because certifying Kubernetes administrators is the responsibility of the Cloud Native Computing Foundation (CNCF) through the Certified Kubernetes Administrator (CKA) program, not the OCI. Option B is wrong because providing a hosted container registry is a service offered by cloud providers (e.g., Docker Hub, Amazon ECR, Google Container Registry) or self-hosted solutions, not a function of the OCI. Option D is wrong because managing the Kubernetes source code is the role of the CNCF and the Kubernetes community via the Kubernetes GitHub repository; the OCI focuses on container standards, not Kubernetes-specific code.

87
Multi-Selectmedium

Which TWO of the following are valid ways to expose a set of pods as a network service in Kubernetes? (Select two.)

Select 2 answers
A.Creating a Deployment with a label selector
B.Creating a PersistentVolumeClaim
C.Creating an Ingress resource
D.Assigning a public IP directly to a Pod
E.Creating a Service of type ClusterIP
AnswersC, E

Ingress exposes HTTP/HTTPS routes to services outside the cluster.

Why this answer

Service is the primary resource for exposing pods. Ingress can expose HTTP/HTTPS routes to services. Option C (Deployment) is not a networking resource; Option D (Pod) is not exposed directly; Option E (Volume) is for storage.

88
MCQhard

A user runs 'kubectl exec -it pod1 -- /bin/sh' and gets the error: 'error: unable to upgrade connection: container not found ("app")'. The pod has one container named 'app'. What is the most likely cause?

A.The pod is running on a different node
B.The container image does not have /bin/sh
C.The container name is misspelled
D.The pod is in a CrashLoopBackOff state
AnswerD

If the container is crashing repeatedly, it may not be running when exec attempts to connect, resulting in this error.

Why this answer

The pod is not running; kubectl exec requires the container to be running. The pod might be in a CrashLoopBackOff state or not yet started.

89
Multi-Selectmedium

Which TWO statements correctly describe how Kubernetes handles self-healing? (Select two.)

Select 2 answers
A.If a node fails, the ReplicaSet controller automatically recreates the pods on healthy nodes
B.If a container in a pod crashes, the kubelet restarts it according to the pod's restart policy
C.Kubernetes automatically fixes application-level bugs by rolling back to a previous version
D.Kubernetes can automatically resolve OOMKilled errors by increasing memory limits
E.Kubernetes can automatically resolve OOMKilled errors by increasing memory limits
AnswersA, B

The ReplicaSet (or Deployment) controller detects that pods are no longer running and creates replacement pods on available nodes.

Why this answer

Option A is correct because the ReplicaSet controller monitors the cluster for node failures and, when a node becomes unhealthy, it creates replacement pods on other healthy nodes to maintain the desired replica count. This is a core self-healing mechanism in Kubernetes that operates at the controller level, independent of the kubelet.

Exam trap

CNCF often tests the distinction between automatic self-healing at the infrastructure level (node/pod restarts) versus manual or policy-driven recovery for application-level issues, leading candidates to incorrectly assume Kubernetes automatically fixes bugs or adjusts resource limits.

90
MCQmedium

What is the purpose of the Container Runtime Interface (CRI) in Kubernetes?

A.To allow kubelet to use different container runtimes without modifying its code
B.To replace Docker as the only supported runtime
C.To define the format of container images
D.To provide a standard API for managing containers across different orchestration platforms
AnswerA

CRI abstracts the container runtime so that kubelet can work with containerd, CRI-O, etc.

Why this answer

CRI is a plugin interface that allows kubelet to use a variety of container runtimes without needing to recompile kubelet. It standardizes how kubelet communicates with the runtime.

91
MCQeasy

Which component of Kubernetes is responsible for maintaining the desired state of the cluster?

A.kube-scheduler
B.kube-controller-manager
C.kubelet
D.kube-apiserver
AnswerB

Correct. It runs controllers that reconcile desired state.

Why this answer

The kube-controller-manager is the component that runs controller processes, which are responsible for regulating the state of the cluster. It continuously watches the current state via the kube-apiserver and takes corrective actions to match the desired state defined in the cluster's control loop, such as ensuring the correct number of pods are running.

Exam trap

CNCF often tests the misconception that the kube-scheduler maintains desired state because it 'schedules' pods, but scheduling is only one part of the control loop; the actual state reconciliation is done by the controller-manager.

How to eliminate wrong answers

Option A is wrong because the kube-scheduler is responsible for assigning pods to nodes based on resource availability and constraints, not for maintaining the desired state. Option C is wrong because the kubelet is an agent that runs on each node and ensures containers are running in a pod, but it does not maintain the cluster-wide desired state. Option D is wrong because the kube-apiserver serves as the front-end for the Kubernetes control plane, handling API requests and storing state in etcd, but it does not actively enforce or reconcile the desired state.

92
MCQeasy

Which of the following best describes a key advantage of containers over virtual machines?

A.Containers share the host OS kernel, resulting in lower resource overhead compared to VMs
B.Containers take longer to start than VMs because they need to initialize a kernel
C.Containers consume more disk space than VMs because they include a full operating system
D.Containers have stronger isolation than VMs because each container runs its own kernel
AnswerA

Containers share the host kernel, eliminating the need for a guest OS per instance, which reduces resource consumption and improves density.

Why this answer

Option A is correct. Containers share the host OS kernel, making them more lightweight than VMs, which each include a full guest OS. Option B is false — containers share the host kernel.

Option C is false — resource usage is lower for containers. Option D is false — VMs typically take longer to start.

93
MCQmedium

A DevOps engineer wants to update a Deployment's container image from 'v1' to 'v2' with zero downtime. Which kubectl command should they use?

A.kubectl rollout restart deployment/<name>
B.kubectl patch deployment <name> -p '{"spec":{"template":{"spec":{"containers":[{"name":"<container>","image":"<image>:v2"}]}}}}'
C.kubectl set image deployment/<name> <container>=<image>:v2
D.kubectl edit deployment <name>
AnswerC

This command triggers a rolling update, which by default updates pods gradually with zero downtime.

Why this answer

Option C is correct because `kubectl set image` directly updates the container image in a Deployment's pod template, triggering a rolling update that replaces pods incrementally with zero downtime. Kubernetes Deployments manage ReplicaSets to ensure availability during the update, making this the simplest and most reliable command for a controlled image change.

Exam trap

The trap here is that candidates may confuse `kubectl rollout restart` (which only restarts pods with the same image) with `kubectl set image` (which actually changes the image), or assume that any command modifying the Deployment (like patch or edit) inherently provides zero downtime without considering the rolling update mechanism.

How to eliminate wrong answers

Option A is wrong because `kubectl rollout restart` triggers a restart of all pods with the existing image, not an image update; it does not change the container image from 'v1' to 'v2'. Option B is wrong because while a patch can update the image, it requires manually specifying the full container name and image string, which is error-prone and less concise than `kubectl set image`; it also does not inherently enforce a rolling update strategy if the Deployment's update strategy is misconfigured. Option D is wrong because `kubectl edit` opens an interactive editor, which is not suitable for automation or scripting and introduces risk of human error; it does not guarantee zero downtime if the user accidentally changes other fields.

94
MCQeasy

Which of the following is a container runtime that implements the Container Runtime Interface (CRI)?

A.containerd
B.Docker
C.runc
D.kubelet
AnswerA

containerd is a high-level container runtime that implements the CRI and is used by Kubernetes.

Why this answer

containerd is a high-level container runtime that directly implements the Container Runtime Interface (CRI) by exposing a gRPC API that kubelet can call to manage pods and containers. It was originally extracted from Docker and is now the default runtime in many Kubernetes distributions, providing image transfer, container lifecycle management, and storage/network attachment without requiring Docker as an intermediary.

Exam trap

CNCF often tests the misconception that Docker is a CRI-compliant runtime, when in fact Docker uses a separate adapter (dockershim) that was removed in Kubernetes v1.24, making containerd the standard CRI implementation.

How to eliminate wrong answers

Option B (Docker) is wrong because Docker does not implement the CRI natively; instead, Kubernetes uses the dockershim (deprecated since v1.24) as a CRI adapter to translate CRI calls into Docker API calls, meaning Docker is not a CRI-compliant runtime itself. Option C (runc) is wrong because runc is a low-level OCI runtime that only creates and runs containers according to the OCI spec; it does not implement the CRI gRPC interface or handle higher-level tasks like image management or pod sandbox creation. Option D (kubelet) is wrong because kubelet is the Kubernetes node agent that acts as a CRI client, not a CRI implementation; it calls the CRI API on a container runtime (like containerd) to manage containers.

95
MCQhard

A microservices application has multiple services that need to discover each other by name. Which Kubernetes object provides built-in service discovery via DNS?

A.Ingress
B.Namespace
C.ConfigMap
D.Service
AnswerD

Services are assigned DNS names (e.g., my-svc.namespace.svc.cluster.local).

Why this answer

Services in Kubernetes are assigned DNS names, allowing pods to resolve service names to cluster IPs.

96
MCQmedium

Which command would you use to view the logs of a specific container in a multi-container pod?

A.kubectl logs mycontainer -p mypod
B.kubectl logs mypod --container mycontainer
C.kubectl logs mypod -c mycontainer
D.kubectl logs mypod mycontainer
AnswerC

Correct: -c specifies the container name.

Why this answer

The -c flag specifies the container name within the pod.

97
Multi-Selecthard

Which THREE of the following are valid container runtimes that can be used with Kubernetes via the Container Runtime Interface (CRI)? (Select three.)

Select 3 answers
A.rkt
B.containerd
C.Kata Containers
D.Docker
E.CRI-O
AnswersB, C, E

containerd is a CRI-compliant runtime and is widely used in Kubernetes.

Why this answer

containerd and CRI-O are both lightweight container runtimes designed for Kubernetes and implement the CRI. Kata Containers provides hardware virtualization isolation and also implements CRI. Docker is not a CRI-compliant runtime; it uses dockershim (deprecated and removed). rkt was an alternative but is not widely used and does not implement CRI directly.

98
MCQmedium

Which component is responsible for running containers in a Kubernetes node and implements the Container Runtime Interface (CRI)?

A.kubelet
B.etcd
C.kube-proxy
D.containerd
AnswerD

containerd is a CRI-compliant container runtime that runs and manages containers.

Why this answer

containerd is the correct answer because it is the container runtime that directly manages container lifecycle operations (create, start, stop, delete) on a Kubernetes node and implements the Container Runtime Interface (CRI), which is the gRPC-based protocol that kubelet uses to interact with container runtimes. Kubernetes requires a CRI-compliant runtime, and containerd is a graduated CNCF project that fulfills this role by exposing the CRI API via its `cri` plugin.

Exam trap

CNCF often tests the misconception that kubelet directly runs containers, but in reality kubelet is only the orchestrator agent that delegates to a CRI-compliant runtime like containerd, making containerd the correct answer.

How to eliminate wrong answers

Option A (kubelet) is wrong because kubelet is the node agent that communicates with the control plane and manages pods, but it does not run containers directly—it delegates container operations to a CRI-compliant runtime like containerd. Option B (etcd) is wrong because etcd is a distributed key-value store used for cluster state persistence, not for running containers or implementing CRI. Option C (kube-proxy) is wrong because kube-proxy is a network proxy that handles service routing and load balancing using iptables or IPVS, and it has no role in container runtime operations or the CRI.

99
MCQhard

You run 'kubectl get pods' and see that a pod named 'web-frontend' is in 'Pending' state for more than 5 minutes. What is the most likely cause?

A.The container image does not exist
B.There are insufficient resources on any node to schedule the pod
C.The pod's readiness probe is failing
D.The pod's liveness probe is failing
AnswerB

Lack of CPU/memory or other constraints keeps the pod pending.

Why this answer

A pod stuck in 'Pending' state for an extended period typically indicates that the scheduler cannot find a suitable node to run the pod. The most common reason is insufficient resources (CPU, memory, or ephemeral storage) on any available node, causing the scheduler to leave the pod unscheduled. This is confirmed by running 'kubectl describe pod web-frontend' and checking the 'Events' section for 'FailedScheduling' messages.

Exam trap

CNCF often tests the distinction between pod states — candidates confuse 'Pending' (scheduling failure) with image pull errors or probe failures, which occur after scheduling and manifest as different states like 'ImagePullBackOff' or 'CrashLoopBackOff'.

How to eliminate wrong answers

Option A is wrong because if the container image does not exist, the pod would transition to 'ImagePullBackOff' or 'ErrImagePull' state, not remain in 'Pending' — the scheduler would still assign the pod to a node first. Option C is wrong because a failing readiness probe causes the pod to be marked as 'NotReady' but it remains in 'Running' state, not 'Pending'. Option D is wrong because a failing liveness probe triggers container restarts and eventually 'CrashLoopBackOff', but the pod is still scheduled and in 'Running' state, not 'Pending'.

100
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Delete and recreate the pod to clear the crash loop
C.Increase the CPU request for the container
D.Delete the namespace and redeploy all workloads
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

101
MCQmedium

You want to ensure that a Pod runs on every Node in the cluster. Which resource should you use?

A.Deployment
B.DaemonSet
C.ReplicaSet
D.StatefulSet
AnswerB

DaemonSets run a Pod on each Node (or a subset if nodeSelector is used).

Why this answer

A DaemonSet ensures that a copy of a Pod runs on every Node in the cluster, including when new Nodes are added. This is the correct resource for cluster-wide services like log collectors, monitoring agents, or kube-proxy, as it automatically schedules a Pod on each Node and respects node taints and tolerations.

Exam trap

CNCF often tests the misconception that a Deployment with a replica count equal to the number of Nodes will achieve the same effect, but candidates overlook that Deployments do not enforce per-Node scheduling and can leave some Nodes empty due to scheduling constraints or resource limits.

How to eliminate wrong answers

Option A is wrong because a Deployment manages a set of identical Pods with a desired replica count, but it does not guarantee placement on every Node; it uses a scheduler to distribute Pods across available Nodes, which may leave some Nodes empty. Option C is wrong because a ReplicaSet is a lower-level resource that ensures a specified number of Pod replicas are running, but it has no mechanism to enforce per-Node scheduling; it is typically used by Deployments for replica management. Option D is wrong because a StatefulSet is designed for stateful applications that require stable, unique network identities and persistent storage, not for running a Pod on every Node; it uses ordinal indexing and can be scheduled on a subset of Nodes.

102
MCQmedium

Which command would you use to get the logs of a pod named 'backend' in the 'production' namespace?

A.kubectl log pod backend -n production
B.kubectl get logs backend -n production
C.kubectl logs -n production pod/backend
D.kubectl logs backend --namespace=production
AnswerD

Correct syntax using --namespace flag.

Why this answer

Option D is correct because `kubectl logs` is the correct command to retrieve pod logs in Kubernetes, and `--namespace=production` (or `-n production`) specifies the namespace. The syntax `kubectl logs <pod-name> --namespace=<namespace>` is the standard, valid form. This command fetches the current logs from the pod's default container.

Exam trap

The trap here is that candidates confuse `kubectl get` (used for listing resources) with `kubectl logs` (used for retrieving logs), and may also incorrectly add the resource type prefix `pod/` which is valid for `kubectl describe` or `kubectl delete` but not for `kubectl logs`.

How to eliminate wrong answers

Option A is wrong because the verb is `log` instead of `logs`; `kubectl log` is not a valid command. Option B is wrong because `kubectl get logs` is not a valid subcommand; `get` is used for resources like pods, not logs. Option C is wrong because the syntax `kubectl logs -n production pod/backend` is incorrect; the resource type prefix `pod/` is not used with `kubectl logs` — the correct form is `kubectl logs backend -n production`.

103
MCQmedium

A container image is built from a Dockerfile with multiple layers. Which statement about container image layers is TRUE?

A.Each layer is created by a RUN instruction and can be modified after the image is built
B.Each layer is unique to the image and cannot be shared with other images
C.Layers are read-only and can be reused across different images
D.All layers in a container image are writable at runtime
AnswerC

Image layers are read-only and are shared across images that use the same base or intermediate layers, improving efficiency.

Why this answer

Option C is correct because container image layers are read-only and are stored in a content-addressable storage (e.g., overlayfs, aufs). These layers can be reused across different images when they share the same content hash, which is a fundamental efficiency of Docker's union filesystem. This layer sharing reduces disk usage and speeds up image pulls.

Exam trap

CNCF often tests the misconception that all layers are writable at runtime, but in reality only the container's writable layer is mutable, while the underlying image layers remain read-only.

How to eliminate wrong answers

Option A is wrong because each layer is created by any instruction in the Dockerfile (not just RUN), and layers are immutable after the image is built; they cannot be modified. Option B is wrong because layers are identified by their content hash (SHA256) and are shared between images that use the same base layers, such as multiple images based on the same Ubuntu base. Option D is wrong because at runtime, a thin writable container layer is added on top of the read-only image layers; the image layers themselves remain read-only.

104
MCQmedium

You need to run a batch job that processes a queue of 1000 items. The job should run to completion and then terminate. Which Kubernetes resource is BEST suited for this workload?

A.DaemonSet
B.Job
C.Deployment
D.StatefulSet
AnswerB

A Job creates one or more pods and ensures they successfully terminate; ideal for batch workloads.

Why this answer

A Kubernetes Job is designed for batch processing tasks that run to completion and then terminate. It creates one or more Pods and ensures that a specified number of them successfully terminate. For a queue of 1000 items, a Job can be configured with a parallelism value and a completions count to process all items and then exit, making it the ideal resource for this workload.

Exam trap

CNCF often tests the distinction between workloads that run to completion (Jobs) versus those that are expected to run indefinitely (Deployments, DaemonSets), and the trap here is that candidates may choose Deployment because they associate it with 'running a job' in a general sense, without realizing that a Deployment's default behavior is to maintain a desired number of running Pods and restart them if they exit.

How to eliminate wrong answers

Option A is wrong because a DaemonSet ensures that a copy of a Pod runs on every (or selected) Node in the cluster, which is intended for long-running background services like log collection or monitoring, not for batch jobs that terminate. Option C is wrong because a Deployment manages a set of Pods to run continuously (e.g., web servers) and will restart Pods if they exit, which is the opposite of a batch job that should terminate after completion. Option D is wrong because a StatefulSet is used for stateful applications that require stable network identities and persistent storage (e.g., databases), not for ephemeral batch processing tasks.

105
MCQhard

A pod is stuck in the Pending state. Running 'kubectl describe pod <pod-name>' shows the event: '0/3 nodes are available: 1 node had taint {node.kubernetes.io/disk-pressure: }, 2 nodes had taint {node.kubernetes.io/memory-pressure: }'. What is the most likely cause?

A.All nodes have taints that the pod does not have tolerations for
B.The container image is not found in the registry
C.The pod has a resource request that exceeds available capacity on all nodes
D.The pod's liveness probe is failing
AnswerA

The event indicates that each node has a taint (disk-pressure or memory-pressure) and the pod lacks corresponding tolerations.

Why this answer

The pod is stuck in Pending because the scheduler cannot find a node that satisfies its scheduling constraints. The events show that all three nodes have taints (disk-pressure and memory-pressure), and the pod does not have corresponding tolerations to allow it to be scheduled on those nodes. Without tolerations, the pod is not permitted to run on any of the available nodes, leaving it in the Pending state.

Exam trap

CNCF often tests the distinction between taints/tolerations and resource constraints, where candidates mistakenly attribute a Pending state to resource exhaustion when the actual cause is missing tolerations for node taints.

How to eliminate wrong answers

Option B is wrong because a missing container image would cause an ImagePullBackOff or ErrImagePull error, not a Pending state with node taint events. Option C is wrong because resource requests exceeding capacity would produce events like 'Insufficient memory' or 'Insufficient cpu', not taint-related messages. Option D is wrong because a failing liveness probe only affects running pods (causing restarts or CrashLoopBackOff), not pods that have never been scheduled.

106
MCQhard

You have a multi-container pod with a main application container and a sidecar container that handles log shipping. The sidecar container should start before the main container and stop after the main container finishes. Which pod configuration should you use?

A.Define the sidecar as an init container
B.Use the 'startupOrder' field in the pod spec
C.Kubernetes does not natively guarantee startup and shutdown order among containers in a pod
D.Set the sidecar container's command to a script that waits for the main container's port to become available before starting
AnswerC

Containers in a pod start in parallel and terminate in parallel; ordering is not guaranteed without custom logic.

Why this answer

Kubernetes does not guarantee startup order between containers in the same pod; they start in parallel. However, lifecycle hooks can be used to enforce ordering: the sidecar can use a postStart hook to delay, or a preStop hook to wait. Using a postStart hook in the main container to signal the sidecar is not standard.

The correct approach is to use Init Containers for startup ordering, but the sidecar needs to run alongside, so the best answer is to use a postStart hook in the sidecar to wait for the main container to be ready, or to rely on readiness probes. However, the question expects understanding that strict ordering is not natively supported. Option A is a workaround using a startup script; Option B is not a feature; Option C is incorrect because init containers run sequentially and terminate before app containers; Option D correctly states that Kubernetes does not guarantee startup order.

107
MCQmedium

You run the command 'kubectl get pods -n default' and see no pods listed. However, you are sure there should be pods. What is the most likely cause?

A.The current kubectl context is connected to a different cluster
B.All pods are in the 'kube-system' namespace
C.The kube-apiserver is down
D.The pods are in the 'Pending' state and not listed
AnswerA

The kubectl context determines which cluster and namespace you are interacting with. A wrong context would show resources from another cluster.

Why this answer

If kubectl shows no pods but you expect them, the most common cause is that the current kubeconfig context is pointing to the wrong cluster or namespace. Option A is possible but less likely because default namespace typically has pods. Option B is correct.

Option C would cause errors, not empty list. Option D is not a typical issue.

108
MCQeasy

Which statement accurately describes a key difference between containers and virtual machines?

A.Virtual machines share the host kernel, while containers have their own kernel
B.Both containers and virtual machines require a hypervisor
C.Containers include a full guest operating system
D.Containers share the host OS kernel, while virtual machines include a full guest OS
AnswerD

This is the key difference: containers are lightweight because they share the host kernel.

Why this answer

Containers share the host OS kernel and are lightweight, while VMs include a full guest OS and hypervisor, making them heavier.

109
Multi-Selecteasy

Which TWO of the following are true about container networking basics? (Choose 2)

Select 2 answers
A.Containers can only communicate if they are on the same node
B.Containers on the same host can communicate via a bridge network
C.Each container has its own network namespace
D.Container networking does not require any configuration
E.All containers share the host's IP address
AnswersB, C

A bridge network connects containers to the same L2 network, allowing communication.

Why this answer

Containers use network namespaces to isolate their network stack. Bridge networking is a common way to allow containers on the same host to communicate. Each container does not need its own IP from the host network; they get IPs from the bridge network.

110
MCQhard

You have a microservices application with a frontend service that needs to communicate with a backend service running in a different namespace ('backend-ns'). The default namespace for the frontend is 'frontend-ns'. What DNS name should the frontend use to reach the backend service named 'backend-svc'?

A.backend-svc.frontend-ns.svc.cluster.local
B.backend-svc.backend-ns.svc.cluster.local
C.backend-svc.backend-ns.cluster.local
D.backend-svc
AnswerB

This is the correct FQDN for cross-namespace service discovery.

Why this answer

In Kubernetes, DNS names for services follow the pattern <service>.<namespace>.svc.cluster.local. For cross-namespace access, the fully qualified name is backend-svc.backend-ns.svc.cluster.local. Option A is the short name within the same namespace; Option C is the cluster domain but incorrect namespace; Option D is not a valid DNS pattern.

111
MCQhard

Which of the following is a characteristic of immutable infrastructure?

A.Infrastructure is version-controlled using Git
B.Infrastructure components are never changed after deployment; they are replaced
C.Servers are updated in-place with configuration management tools
D.Containers are used to ensure portability
AnswerB

Immutable infrastructure replaces components rather than modifying them.

Why this answer

Immutable infrastructure means that instead of modifying existing servers, new instances are created from an image and old ones are replaced.

112
MCQeasy

What is the purpose of a readiness probe in a Kubernetes pod?

A.To check if the container is alive and restart it if not
B.To verify the container's CPU and memory usage
C.To ensure the container can write to persistent storage
D.To check if the container is ready to accept traffic
AnswerD

Readiness probes indicate whether the pod should receive traffic; if not, the pod is removed from services.

Why this answer

Readiness probes determine if a container is ready to serve traffic; if it fails, the pod is removed from service endpoints.

113
Matchingmedium

Match each Kubernetes component to its role in the control plane.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Exposes the Kubernetes API and acts as the front-end

Runs controller processes like Node and Replication controllers

Assigns pods to nodes based on resource availability

Consistent and highly-available key-value store for all cluster data

Interacts with underlying cloud provider's APIs

Why these pairings

These are the core control plane components in a Kubernetes cluster.

114
MCQeasy

What is the purpose of the Container Runtime Interface (CRI) in Kubernetes?

A.To allow kubelet to use different container runtimes
B.To manage persistent storage for containers
C.To provide a network plugin interface for pods
D.To define a standard for container images
AnswerA

CRI abstracts the container runtime so kubelet can work with any CRI-compliant runtime.

Why this answer

CRI is a plugin interface that enables kubelet to use different container runtimes without needing to recompile.

115
Multi-Selecteasy

Which TWO of the following are characteristics of microservices architecture? (Choose 2)

Select 2 answers
A.All services share the same database
B.Services can be deployed independently
C.Communication between services is often via APIs
D.The entire application is deployed as a single unit
E.Services are tightly coupled
AnswersB, C

Each microservice can be developed, deployed, and scaled independently.

Why this answer

Option B is correct because microservices architecture is defined by the ability to deploy each service independently without affecting other services. This independence enables teams to update, scale, and roll back individual components, which is a core principle of container orchestration platforms like Kubernetes that manage these services as separate units.

Exam trap

The trap here is that candidates confuse microservices with service-oriented architecture (SOA) or mistakenly think that sharing a database or tight coupling is acceptable, when in fact microservices require database-per-service and loose coupling to achieve independent deployability.

116
MCQhard

A pod has resource requests of 512Mi memory and 500m CPU, and limits of 1Gi memory and 1 CPU. The node has 4Gi memory and 2 CPU cores. If the pod tries to use 700m CPU, what will happen?

A.The pod will be throttled to 500m CPU
B.The pod will be allowed to use 700m CPU
C.The pod will be evicted from the node
D.The pod will be terminated for exceeding the limit
AnswerB

The pod can use up to the CPU limit (1000m) if the node has capacity.

Why this answer

The pod's CPU request is 500m, and its CPU limit is 1 CPU (1000m). When the pod attempts to use 700m CPU, it is below the limit of 1000m, so it is allowed to burst up to that amount. Kubernetes uses the CPU request for scheduling and the limit for throttling; since 700m is within the limit, no throttling occurs.

The pod is not evicted or terminated because it has not exceeded its memory limit or violated any resource constraints.

Exam trap

The trap here is that candidates confuse CPU requests with limits, thinking that exceeding the request triggers throttling or eviction, when in fact throttling only occurs at the limit and eviction is tied to memory or node pressure, not CPU usage below the limit.

How to eliminate wrong answers

Option A is wrong because throttling to 500m CPU would only occur if the pod exceeded its CPU limit, but 700m is below the 1000m limit, so the pod is allowed to burst. Option C is wrong because eviction happens when a node runs out of resources (e.g., memory pressure) or when a pod exceeds its memory limit, not for CPU usage below the limit. Option D is wrong because termination for exceeding a limit applies only when the pod surpasses its memory limit or violates a hard resource constraint; CPU usage below the limit does not trigger termination.

117
MCQeasy

A developer wants to run a one-time task that creates a database schema and then exits. Which Kubernetes workload type is most appropriate?

A.DaemonSet
B.StatefulSet
C.Deployment
D.Job
AnswerD

Jobs run to completion.

Why this answer

A Job is the correct choice because it is designed for finite, one-time tasks that run to completion, such as creating a database schema. Unlike long-running workloads, a Job creates one or more Pods and ensures they terminate successfully after the task finishes, making it ideal for batch processing or initialization tasks.

Exam trap

The trap here is that candidates confuse a one-time task with a Deployment because they think of 'running a container' generically, forgetting that Deployments enforce a restart policy that would keep the task running indefinitely.

How to eliminate wrong answers

Option A is wrong because a DaemonSet ensures that a copy of a Pod runs on all (or selected) nodes, intended for continuous background services like logging or monitoring, not for one-time tasks. Option B is wrong because a StatefulSet is used for stateful applications requiring stable, unique network identities and persistent storage, such as databases, and is designed for long-running rather than ephemeral tasks. Option C is wrong because a Deployment manages a set of identical Pods with a desired replica count, ensuring they run continuously and are automatically restarted if they exit, which is unsuitable for a task that should exit after completion.

118
MCQhard

In a container image built from a Dockerfile, what is the purpose of the CMD instruction?

A.To specify a command that always runs at build time
B.To copy files into the image
C.To provide default arguments for the ENTRYPOINT instruction
D.To define environment variables
AnswerC

CMD can provide default arguments to ENTRYPOINT, or be the main command if ENTRYPOINT is not set.

Why this answer

CMD provides defaults for an executing container, which can be overridden by command-line arguments. It sets the command to run when the container starts.

119
Multi-Selecthard

Which TWO of the following are valid reasons to use a DaemonSet instead of a Deployment? (Select 2)

Select 2 answers
A.You need to run exactly one pod per node for log collection
B.You need to deploy a monitoring agent that should run on every node
C.You need to ensure a pod runs on the control-plane node only
D.You need to run a batch job that completes and exits
E.You need to run a stateless web application with multiple replicas
AnswersA, B

DaemonSets ensure one pod per node.

Why this answer

DaemonSets run a pod on each node, ideal for logging and monitoring agents. They are not for stateless apps or batch jobs.

120
MCQeasy

Which Open Container Initiative (OCI) specification defines the format of container images?

A.Runtime Spec
B.Image Spec
C.Container Runtime Interface (CRI)
D.Dockerfile specification
AnswerB

OCI Image Spec standardizes container image format.

Why this answer

The OCI Image Spec defines the format and content of container images, including the manifest, configuration, and layers. This ensures that any OCI-compliant runtime can run images built by any OCI-compliant tool, enabling interoperability across different container platforms.

Exam trap

The trap here is confusing the OCI Runtime Spec (which deals with running containers) with the OCI Image Spec (which deals with packaging images), or mistaking the Kubernetes CRI plugin interface for an OCI standard.

How to eliminate wrong answers

Option A is wrong because the OCI Runtime Spec defines the lifecycle and configuration of running containers (e.g., bundle format, state machine), not the image format. Option C is wrong because the Container Runtime Interface (CRI) is a Kubernetes API for integrating container runtimes (like containerd or CRI-O), not an OCI specification for image format. Option D is wrong because the Dockerfile specification is a Docker-specific build instruction format, not an OCI standard; OCI images are built from layers, not directly from Dockerfiles.

121
MCQhard

An administrator wants to ensure that a Deployment named 'webapp' always has exactly 3 replicas running across distinct nodes to improve fault tolerance. Which field in the Deployment spec should they configure?

A.replicas: 3
B.template.spec.affinity.podAntiAffinity
C.strategy.type: Recreate
D.template.spec.nodeName
AnswerB

PodAntiAffinity can prevent scheduling multiple pods on the same node.

Why this answer

PodAntiAffinity with requiredDuringSchedulingIgnoredDuringExecution can enforce that pods are scheduled on different nodes.

122
Multi-Selecteasy

Which TWO of the following are true about container images? (Choose 2)

Select 2 answers
A.Container images include a full operating system kernel
B.Container images are immutable once created
C.Container images are stored in a container registry
D.Container images consist of read-only layers
E.Container images are built using a Dockerfile
AnswersC, D

Images are pushed to and pulled from registries like Docker Hub.

Why this answer

Container images are built in layers, each representing a set of filesystem changes. Images are stored in registries. The Dockerfile defines the build process, not the image itself.

123
MCQeasy

What is the Container Runtime Interface (CRI)?

A.A tool for building container images
B.A standard for container runtime logs
C.A specification for container images
D.An API between kubelet and container runtime
AnswerD

Correct. CRI allows kubelet to communicate with runtimes like containerd and CRI-O.

Why this answer

CRI is a plugin interface that enables kubelet to use different container runtimes without needing to recompile.

124
MCQmedium

An administrator needs to expose a set of pods running a web application on a static port on each node's IP address. Which Service type should they use?

A.ClusterIP
B.NodePort
C.ExternalName
D.LoadBalancer
AnswerB

NodePort opens a specific port on all nodes and routes traffic to the service.

Why this answer

A NodePort service exposes the application on a static port (30000–32767) on every node's IP address, making the pods accessible externally via <NodeIP>:<NodePort>. This matches the requirement to expose pods on a static port on each node's IP address without needing an external load balancer.

Exam trap

CNCF often tests the misconception that NodePort is the only way to expose services externally, but the trap here is confusing NodePort with LoadBalancer, which also provides external access but requires cloud provider integration and does not guarantee a static port on each node.

How to eliminate wrong answers

Option A is wrong because ClusterIP exposes the service only on a cluster-internal IP, making it unreachable from outside the cluster. Option C is wrong because ExternalName maps a service to an external DNS name via CNAME records, not to node IPs or ports. Option D is wrong because LoadBalancer provisions an external cloud load balancer with a public IP, which is overkill and not required for exposing on each node's static port.

125
MCQmedium

A company is deploying a microservices application on Kubernetes. They want to ensure that configuration data, such as database URLs and feature flags, can be updated without rebuilding container images. Which Kubernetes resource should they use?

A.Secrets
B.Services
C.Deployments
D.ConfigMaps
AnswerD

ConfigMaps store non-sensitive configuration data that can be consumed by pods.

Why this answer

ConfigMaps are the correct Kubernetes resource for decoupling configuration data (like database URLs and feature flags) from container images. They allow you to inject configuration as environment variables or mounted volumes without rebuilding or redeploying the container image, enabling runtime updates.

Exam trap

The trap here is that candidates often confuse ConfigMaps with Secrets, assuming that all configuration must be stored in Secrets, but the KCNA exam tests the distinction that ConfigMaps are for non-sensitive data and Secrets are for sensitive data.

How to eliminate wrong answers

Option A is wrong because Secrets are designed for sensitive data (e.g., passwords, tokens) and are not intended for general configuration like database URLs or feature flags; using Secrets for non-sensitive data adds unnecessary complexity and security overhead. Option B is wrong because Services are a networking abstraction that provides stable endpoints for Pods, not a mechanism for storing or injecting configuration data. Option C is wrong because Deployments manage the desired state and lifecycle of Pods (e.g., scaling, rolling updates), but they do not store configuration data; configuration is typically provided via ConfigMaps or Secrets referenced in the Pod spec.

126
MCQhard

A user runs 'kubectl exec -it pod1 -- /bin/sh' and gets an error: 'error: unable to upgrade connection: container not found'. The pod is running and has one container named 'app'. What is the most likely issue?

A.The pod is not running
B.The container does not have a shell binary
C.The user does not have permission to exec into pods
D.The container name was not specified and the pod has multiple containers
AnswerD

When multiple containers exist, you must specify '-c' flag; otherwise, kubectl may fail to find the container.

Why this answer

Option C is correct. The error 'container not found' typically means the container name is missing or incorrect. 'kubectl exec' defaults to the first container, but if the pod has multiple containers, you must specify '-c' flag. Option A (no shell binary) would give a different error.

Option B (pod status) is not the issue since the error is about container not found. Option D (service account) is not related.

127
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Increase the CPU request for the container
C.Delete the namespace and redeploy all workloads
D.Delete and recreate the pod to clear the crash loop
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

128
MCQmedium

A Kubernetes Deployment manages a set of pods. What is the primary purpose of a Deployment?

A.To declare the desired state for a set of pods and manage rolling updates
B.To store configuration data as key-value pairs
C.To run a batch job to completion
D.To expose a set of pods as a network service
AnswerA

Deployments handle declarative updates.

Why this answer

A Deployment provides declarative updates for Pods and ReplicaSets, enabling rolling updates and rollbacks.

129
Multi-Selectmedium

Which THREE of the following are core principles of immutable infrastructure? (Choose 3)

Select 3 answers
A.Rollbacks are performed by redeploying a previous image
B.Infrastructure is patched by applying updates to running servers
C.Infrastructure components are never modified after deployment
D.Deployments are reproducible and consistent
E.All changes are made by updating configuration files on running instances
AnswersA, C, D

Since each deployment is a complete image, rollback is simply deploying an older image.

Why this answer

Immutable infrastructure means that components are replaced, not modified. This ensures consistency, reliability, and easy rollbacks. Patching running instances is mutable.

130
MCQmedium

A developer wants to expose a set of pods running a web application on a stable IP address. Which Kubernetes resource should they create?

A.Service
B.ConfigMap
C.Ingress
D.NetworkPolicy
AnswerA

A Service provides a stable cluster IP and load balancing to pods.

Why this answer

A Service provides a stable IP and DNS name to access a set of pods.

131
MCQeasy

Which of the following is a key benefit of using containers over virtual machines?

A.Each container runs its own operating system
B.Containers provide stronger isolation than VMs
C.Containers require hypervisor to run
D.Containers share the host OS kernel
AnswerD

Containers share the host OS kernel, making them lightweight.

Why this answer

Containers share the host operating system kernel, which makes them lightweight and fast to start compared to virtual machines. Each container runs as an isolated user-space process on the same kernel, avoiding the overhead of a separate guest OS per instance. This shared-kernel architecture is a fundamental design principle of containerization technologies like Docker and containerd.

Exam trap

The trap here is that candidates often confuse the lightweight nature of containers with stronger isolation, but the key trade-off is that containers share the host kernel, making them less isolated than VMs, not more.

How to eliminate wrong answers

Option A is wrong because each container does not run its own operating system; containers share the host OS kernel and only include the application and its dependencies. Option B is wrong because containers provide weaker isolation than VMs, as they share the host kernel and rely on kernel namespaces and cgroups, whereas VMs use a hypervisor to provide hardware-level isolation. Option C is wrong because containers do not require a hypervisor to run; they run directly on the host OS using the kernel's container runtime, while VMs require a hypervisor.

132
MCQhard

A developer creates a Deployment with replicas: 3 and strategy type: RollingUpdate with maxSurge: 1 and maxUnavailable: 1. During a rolling update, the Deployment controller creates a new ReplicaSet. After the new ReplicaSet has 2 pods ready, the node running one of the original ReplicaSet's pods fails. What is the MOST likely number of total pods running after the node failure, assuming no other actions?

A.2 pods running
B.4 pods running
C.3 pods running
D.1 pod running
AnswerA

Before node failure: old ReplicaSet scaled down to 1, new up to 2 (total 3). Node failure kills the old pod, leaving 2 new pods running.

Why this answer

Option B is correct. Initially 3 old pods. maxSurge=1 allows up to 4 total pods. maxUnavailable=1 allows at least 2 available pods. After new ReplicaSet has 2 ready, controller would have scaled down old ReplicaSet to 1 (making total 3: 2 new + 1 old).

Node failure kills the old pod. New ReplicaSet remains at 2. Total running = 2 (both new).

Option A would only happen if no old pods were killed. Option C would require both old pods still running. Option D would be too many.

133
Matchingmedium

Match each Kubernetes command (kubectl) to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

List one or more resources

Show detailed state of a resource

Create or update resources from a file or stdin

Execute a command inside a container

Print logs from a container in a pod

Why these pairings

These are essential kubectl commands for daily operations.

134
Multi-Selecthard

Which TWO of the following are true about service discovery in Kubernetes? (Choose 2)

Select 2 answers
A.Ingress resources can be used for internal service discovery
B.Service discovery is only available for pods on the same node
C.Environment variables are injected into pods for each Service
D.Services are assigned a DNS name in the form <service>.<namespace>.svc.cluster.local
E.Headless Services provide a stable virtual IP for service discovery
AnswersC, D

When a pod starts, environment variables are set for each active Service.

Why this answer

Kubernetes provides DNS-based service discovery, where Services get DNS names resolved by CoreDNS. Services also have environment variables injected into pods. Headless Services do not provide a single IP; they return the pod IPs.

Ingress is for external traffic, not internal service discovery.

135
MCQhard

Which of the following correctly describes the concept of 'immutable infrastructure' in the context of container orchestration?

A.Infrastructure components are recreated from a known good state rather than modified
B.Configuration changes are applied via SSH into running containers
C.Servers are never rebooted
D.Container images are updated in-place by patching existing layers
AnswerA

This is the core idea of immutability.

Why this answer

Immutable infrastructure means that once a container image is built, it is never modified; updates are done by replacing the entire container with a new image.

136
MCQmedium

A Pod is stuck in 'Pending' state. Which command is most helpful to diagnose the issue?

A.kubectl logs my-pod
B.kubectl get events
C.kubectl describe pod my-pod
D.kubectl top pod my-pod
AnswerC

This shows events and status conditions that indicate why the Pod is pending (e.g., insufficient resources).

Why this answer

Option C is correct because 'kubectl describe pod my-pod' provides detailed information about the pod's current state, including events, conditions, and resource constraints. When a pod is stuck in 'Pending', it typically means the scheduler cannot place it on a node due to issues like insufficient CPU/memory, persistent volume claims not being bound, or node selector mismatches. The 'describe' command surfaces these specific reasons in the 'Events' section and 'Conditions' field, making it the most direct diagnostic tool.

Exam trap

CNCF often tests the misconception that 'kubectl logs' is the universal debugging command, but for pending pods, logs are unavailable because containers haven't started, making 'kubectl describe' the correct choice for pre-run failures.

How to eliminate wrong answers

Option A is wrong because 'kubectl logs my-pod' retrieves container logs, but a pod in 'Pending' state has not started any containers yet, so there are no logs to fetch; this command is useful only after the pod is running. Option B is wrong because 'kubectl get events' shows cluster-wide events, which can be noisy and may not filter to the specific pod; while it can include scheduling failures, it lacks the pod-specific context and resource details that 'describe' provides. Option D is wrong because 'kubectl top pod my-pod' shows real-time resource usage metrics, which are only available for running pods; a pending pod has no resource consumption data to report.

137
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Increase the memory limit in the pod's container resource specification
C.Delete and recreate the pod to clear the crash loop
D.Delete the namespace and redeploy all workloads
AnswerB

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The OOMKilled status indicates the container was terminated because it exceeded its memory limit. The most appropriate action is to increase the memory limit in the pod's container resource specification, which allows the container to use more memory without being killed by the Out-Of-Memory (OOM) killer. This resolves the root cause by providing sufficient memory for the workload.

Exam trap

The trap here is that candidates confuse CPU and memory resource management, assuming increasing CPU requests can resolve memory-related OOM kills, or they opt for a destructive restart instead of adjusting the resource specification.

How to eliminate wrong answers

Option A is wrong because increasing the CPU request does not address memory exhaustion; CPU and memory are independent resources, and OOMKilled is triggered by memory limits, not CPU. Option C is wrong because deleting and recreating the pod only restarts the container with the same resource limits, so it will immediately crash again due to the same memory constraint. Option D is wrong because deleting the entire namespace and redeploying all workloads is an extreme, unnecessary action that disrupts all other workloads and does not fix the underlying memory limit issue.

138
MCQeasy

What is the primary difference between a container and a virtual machine (VM)?

A.Containers are slower to start than VMs
B.Containers provide stronger isolation than VMs
C.VMs are more portable than containers
D.Containers share the host OS kernel, whereas VMs include a full guest OS
AnswerD

This is the fundamental difference. Containers virtualize the OS, while VMs virtualize the hardware.

Why this answer

Containers share the host OS kernel, while VMs include a full guest OS. This makes containers more lightweight and portable.

139
MCQmedium

Which of the following is a valid use case for a DaemonSet?

A.Running a batch job that must complete once
B.Running a stateless web application with multiple replicas
C.Running a stateful application with persistent storage
D.Running a logging agent on every node
AnswerD

DaemonSet ensures the agent runs on each node.

Why this answer

DaemonSet ensures that a copy of a pod runs on all (or some) nodes, commonly used for cluster-wide services like log collection or monitoring agents.

140
MCQeasy

What is the OCI (Open Container Initiative) responsible for?

A.Hosting public container images
B.Providing a default container runtime for Kubernetes
C.Managing container orchestration
D.Defining standards for container images and runtimes
AnswerD

The OCI maintains the Image Spec and Runtime Spec to ensure container compatibility.

Why this answer

The Open Container Initiative (OCI) is a Linux Foundation project that defines open industry standards for container image formats and container runtimes. Its two main specifications are the OCI Image Spec (which standardizes the container image layout, including layers and manifests) and the OCI Runtime Spec (which defines the lifecycle and configuration for running containers). This ensures interoperability between different container tools and platforms, such as Docker, Podman, and containerd.

Exam trap

CNCF often tests the misconception that the OCI is a tool or platform (like a registry or runtime) rather than a standards body, leading candidates to confuse it with Docker Hub or containerd.

How to eliminate wrong answers

Option A is wrong because hosting public container images is the role of container registries like Docker Hub, Quay.io, or Google Container Registry, not the OCI. Option B is wrong because providing a default container runtime for Kubernetes is not the OCI's responsibility; Kubernetes uses container runtimes like containerd or CRI-O, which may implement OCI specs but are not provided by the OCI itself. Option C is wrong because managing container orchestration is the function of orchestrators like Kubernetes, Docker Swarm, or Nomad, not the OCI, which focuses solely on standardization.

141
MCQmedium

An application requires that a specific set of pods be placed on nodes labeled with 'gpu=true'. Which Kubernetes field should be used in the pod spec to enforce this?

A.nodeSelector
B.topologySpreadConstraints
C.affinity.nodeAffinity
D.tolerations
AnswerA

nodeSelector matches the pod to nodes that have the specified label (e.g., gpu=true).

Why this answer

NodeSelector is the simplest way to constrain pods to nodes with specific labels.

142
MCQhard

An application requires that a pod must not be scheduled on the same node as another pod from the same Deployment. Which configuration should be used?

A.Node affinity with requiredDuringSchedulingIgnoredDuringExecution
B.Pod affinity with a preferredDuringSchedulingIgnoredDuringExecution
C.Pod anti-affinity with requiredDuringSchedulingIgnoredDuringExecution and topologyKey: kubernetes.io/hostname
D.Taints and tolerations
AnswerC

This ensures the scheduler does not place two pods from the same deployment on the same node.

Why this answer

Pod anti-affinity with a requiredDuringSchedulingIgnoredDuringExecution rule and a topologyKey of 'kubernetes.io/hostname' ensures that pods are not co-located on the same node.

143
MCQhard

A pod is running but its container exits with code 137. The pod logs show 'Killed'. What is the most likely cause?

A.The container's CPU limit was exceeded
B.The container's liveness probe failed
C.The container was OOMKilled due to memory limit
D.The node ran out of disk space
AnswerC

Exit code 137 is SIGKILL, often from OOM. The pod status would show OOMKilled.

Why this answer

Exit code 137 (128 + 9) indicates the container was terminated by SIGKILL. Combined with 'Killed' in logs, this is the definitive signature of an OOMKill event, where the Linux kernel's Out-Of-Memory (OOM) killer terminates the container process because it exceeded its memory limit (specified in the pod's resource limits). Kubernetes enforces memory limits via cgroups, and when the container's memory usage surpasses the limit, the OOM killer sends SIGKILL, resulting in exit code 137.

Exam trap

CNCF often tests the distinction between CPU throttling (which does not kill) and OOMKill (which does), and the trap here is that candidates confuse 'Killed' in logs with a generic failure, not recognizing exit code 137 as the specific OOMKill signal.

How to eliminate wrong answers

Option A is wrong because exceeding CPU limits causes CPU throttling (container runs slower) but never triggers a kill or exit code 137; the container continues running. Option B is wrong because a liveness probe failure results in Kubernetes restarting the container with exit code 143 (SIGTERM) or 0, not 137, and the logs would show 'Liveness probe failed' not 'Killed'. Option D is wrong because node disk pressure leads to pod eviction (not container OOM kill) with a different exit code and a Kubernetes event like 'Evicted', not exit code 137 and 'Killed' in container logs.

144
MCQeasy

A developer wants to ensure that a pod runs only on nodes with SSDs. Which mechanism should be used?

A.Apply a taint to nodes without SSDs and add tolerations to the pod
B.Use pod anti-affinity
C.Add a nodeSelector with disktype: ssd
D.Define a ResourceQuota
AnswerC

nodeSelector ensures pods are scheduled on nodes with the specified label.

Why this answer

Option C is correct because `nodeSelector` is a simple and direct mechanism in Kubernetes to constrain a pod to run only on nodes that have a specific label, such as `disktype=ssd`. By labeling nodes with SSDs and adding the corresponding `nodeSelector` in the pod spec, the scheduler ensures the pod is placed exclusively on those nodes. This approach is straightforward and does not require complex scheduling constraints or resource management.

Exam trap

The trap here is that candidates often confuse taints/tolerations with node selection, thinking they can be used to force pods onto specific hardware, when in fact taints repel pods and tolerations allow exceptions, whereas `nodeSelector` or `nodeAffinity` are the correct tools for positive selection.

How to eliminate wrong answers

Option A is wrong because taints and tolerations are used to repel pods from nodes (or allow them to tolerate repulsion), not to positively select nodes with specific hardware; they control which pods can run on a node but do not guarantee a pod will only run on nodes with SSDs. Option B is wrong because pod anti-affinity is used to prevent pods from co-locating on the same node or topology, not to select nodes based on hardware attributes like SSDs. Option D is wrong because a ResourceQuota limits resource consumption within a namespace and cannot influence node selection based on hardware characteristics.

145
MCQmedium

You have a microservices application deployed as a set of Pods in a Kubernetes cluster. You need to ensure that Pods can discover each other using stable DNS names. Which Kubernetes resource should you create?

A.ConfigMap
B.Ingress
C.Service
D.Deployment
AnswerC

A Service exposes a stable DNS name (e.g., my-service.namespace.svc.cluster.local) for Pods.

Why this answer

A Service of type ClusterIP (the default) provides a stable virtual IP and DNS name (e.g., my-service.namespace.svc.cluster.local) that resolves to the Pods selected by its label selector. This allows Pods to discover each other using consistent DNS names, regardless of Pod IP changes due to scaling or restarts. The kube-dns or CoreDNS addon automatically creates DNS records for Services, enabling service discovery within the cluster.

Exam trap

CNCF often tests the misconception that a Deployment itself provides stable DNS names, but Deployments only manage Pod replicas; the Service resource is required to expose a stable network endpoint and DNS record.

How to eliminate wrong answers

Option A is wrong because a ConfigMap is used to store configuration data as key-value pairs, not to provide network endpoints or DNS names for Pod discovery. Option B is wrong because an Ingress manages external HTTP/HTTPS traffic routing to Services, not internal Pod-to-Pod DNS-based discovery. Option D is wrong because a Deployment manages the desired state and lifecycle of Pods (replicas, updates), but does not create a stable network identity or DNS name for Pods to discover each other.

146
MCQhard

A pod named 'web-app' is not able to resolve the hostname 'db-service' from another namespace 'data'. The 'db-service' Service exists in the 'data' namespace. What is the most likely cause?

A.The pod is trying to resolve 'db-service' without the namespace suffix
B.The Service 'db-service' is not exposed on a port
C.The pod's DNS policy is set to 'None'
D.The pod's container image lacks DNS utilities
AnswerA

Pods in a different namespace must use 'db-service.data.svc.cluster.local'.

Why this answer

Kubernetes DNS resolves services in the form <service>.<namespace>.svc.cluster.local. If the pod is in a different namespace, it must use the full DNS name.

147
Multi-Selectmedium

Which TWO of the following are characteristics of a microservices architecture? (Select 2)

Select 2 answers
A.Independent deployment of services
B.Tight coupling between services
C.Loose coupling between services
D.Monolithic codebase
E.Shared database for all services
AnswersA, C

Each microservice can be deployed independently.

Why this answer

Option A is correct because microservices architecture is designed to allow each service to be developed, tested, and deployed independently without affecting other services. This independence is achieved through well-defined APIs and versioning strategies, enabling continuous delivery and rapid iteration. In Kubernetes, for example, each microservice can be packaged as a separate container and deployed via its own Deployment resource, allowing updates to one service without downtime for the entire application.

Exam trap

CNCF often tests the misconception that microservices require a shared database for consistency, but the correct pattern is database-per-service to maintain loose coupling and independent scalability.

148
MCQmedium

A developer wants to deploy a stateful application that requires stable network identities and persistent storage. Which Kubernetes resource is best suited for this workload?

A.Deployment
B.DaemonSet
C.StatefulSet
D.Job
AnswerC

StatefulSet provides stable, unique network identifiers and persistent storage for stateful applications.

Why this answer

StatefulSet is the correct choice because it is designed specifically for stateful applications that require stable, unique network identities (via headless Services and ordinal hostnames) and persistent storage (via PersistentVolumeClaims that are retained across Pod rescheduling). Unlike Deployments, StatefulSets guarantee ordered deployment, scaling, and termination, which is essential for databases or message queues.

Exam trap

CNCF often tests the misconception that Deployment can handle stateful workloads because it supports PersistentVolumeClaims, but the trap is that Deployment does not guarantee stable network identities or ordered Pod management, which are critical for stateful applications like databases.

How to eliminate wrong answers

Option A is wrong because Deployment is intended for stateless applications and creates Pods with random, ephemeral identities and no guaranteed storage persistence; it does not provide stable network identities. Option B is wrong because DaemonSet ensures that a copy of a Pod runs on each node (or a subset of nodes) for node-level services like logging or monitoring, not for stateful workloads requiring stable identities and persistent storage. Option D is wrong because Job is designed for batch or one-time tasks that run to completion, not for long-running stateful applications that need persistent storage and stable network identities.

149
MCQeasy

What is the primary benefit of containers over virtual machines?

A.Containers provide stronger isolation than VMs
B.Containers use more disk space than VMs
C.Containers require a hypervisor to run
D.Containers are more portable and lightweight because they share the host OS kernel
AnswerD

Containers share the host kernel and only include the application and dependencies, making them portable and efficient.

Why this answer

Containers are more portable and lightweight than virtual machines because they share the host OS kernel, eliminating the need for a separate guest OS per instance. This shared kernel approach reduces resource overhead (CPU, memory, and disk) and enables faster startup times, as containers only package the application and its dependencies without duplicating the operating system.

Exam trap

The trap here is that candidates often confuse isolation strength with portability, assuming containers are more secure because they are lightweight, but Cisco tests the understanding that VMs provide stronger isolation due to separate kernels and hypervisor-level boundaries.

How to eliminate wrong answers

Option A is wrong because containers provide weaker isolation than VMs; VMs use a hypervisor to run separate guest OS kernels, offering stronger security boundaries, whereas containers rely on kernel namespaces and cgroups, which share the host kernel. Option B is wrong because containers use less disk space than VMs, as they do not include a full guest OS image and leverage layered filesystems (e.g., overlay2) to share common layers. Option C is wrong because containers do not require a hypervisor; they run directly on the host OS using container runtime engines like containerd or Docker, whereas VMs require a hypervisor (Type 1 or Type 2) to virtualize hardware.

150
Multi-Selectmedium

Which TWO of the following are valid container runtimes that implement the CRI? (Choose two.)

Select 2 answers
A.Kata Containers
B.CRI-O
C.Docker
D.containerd
E.rkt
AnswersB, D

CRI-O is a CRI-compliant runtime.

Why this answer

CRI-O is a lightweight container runtime specifically designed to implement the Kubernetes Container Runtime Interface (CRI), allowing Kubernetes to use OCI-compliant runtimes directly without relying on Docker. It is a valid CRI implementation because it provides the gRPC-based CRI API server and manages container lifecycle using runc or Kata Containers as the underlying OCI runtime.

Exam trap

CNCF often tests the misconception that Docker is a CRI-compliant runtime because it was historically the default container runtime in Kubernetes, but candidates must remember that Docker uses its own API and was only supported via the now-removed dockershim, making containerd and CRI-O the only correct CRI implementations among the options.

← PreviousPage 2 of 3 · 211 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Kcna Container Orchestration questions.