CCNA Kcna Kubernetes Fundamentals Questions

75 of 436 questions · Page 1/6 · Kcna Kubernetes Fundamentals topic · Answers revealed

1
MCQmedium

You have a ConfigMap named 'app-config' with key 'database.url'. Which environment variable reference in a Pod spec injects this value correctly?

A.env: - name: DATABASE_URL valueFrom: configMapKeyRef: name: app-config key: database.url
B.env: - name: DATABASE_URL value: "$(APP_CONFIG_DATABASE_URL)"
C.env: - name: DATABASE_URL valueFrom: secretKeyRef: name: app-config key: database.url
D.env: - name: DATABASE_URL valueFrom: configMapRef: name: app-config key: database.url
AnswerA

This correctly references the key 'database.url' from ConfigMap 'app-config'.

Why this answer

Option A is correct because it uses the `configMapKeyRef` field under `valueFrom` to reference a specific key (`database.url`) from the ConfigMap named `app-config`. This is the standard Kubernetes syntax for injecting a single key from a ConfigMap as an environment variable into a Pod.

Exam trap

The trap here is that candidates may confuse `configMapKeyRef` with `configMapRef` (which is used with `envFrom`, not `valueFrom`) or mistakenly use `secretKeyRef` for ConfigMaps, thinking the syntax is interchangeable.

How to eliminate wrong answers

Option B is wrong because `$(APP_CONFIG_DATABASE_URL)` is not a valid Kubernetes syntax for referencing ConfigMap values; it resembles a shell variable substitution, not a Kubernetes environment variable reference. Option C is wrong because it uses `secretKeyRef`, which is for referencing Secrets, not ConfigMaps; ConfigMaps must use `configMapKeyRef`. Option D is wrong because `configMapRef` is not a valid field under `valueFrom`; the correct field is `configMapKeyRef`.

2
Multi-Selecthard

Which three of the following are true about Services in Kubernetes? (Select three.)

Select 3 answers
A.A Service provides a stable IP address for a set of pods
B.A Service can load balance traffic across multiple pods
C.A Service can be used for internal cluster traffic only using ClusterIP
D.A Service can store configuration data for applications
E.A Service can replace an Ingress for HTTP routing
AnswersA, B, C

Services have stable IPs and DNS names.

Why this answer

Services provide stable endpoints, load balance across pods, and support multiple types. They do not replace Ingress; Ingress provides HTTP routing. Services do not store configuration; ConfigMaps do.

3
MCQmedium

Which component on each worker node is responsible for ensuring that containers are running as specified in the Pod manifest?

A.kube-scheduler
B.container runtime
C.kubelet
D.kube-proxy
AnswerC

kubelet ensures containers are running per spec.

Why this answer

kubelet is the primary node agent that interacts with the container runtime to ensure containers are healthy and running.

4
MCQeasy

Which component runs on every node and is responsible for ensuring that containers are running as specified in Pod manifests?

A.kubelet
B.kube-proxy
C.container runtime
D.kube-controller-manager
AnswerA

kubelet is the agent that runs on each node and manages Pods and their containers.

Why this answer

The kubelet is the primary node agent that runs on every node in a Kubernetes cluster. It is responsible for ensuring that containers described in Pod manifests (typically provided via the API server) are running and healthy. The kubelet does not manage containers directly; instead, it interacts with the container runtime (e.g., containerd, CRI-O) to create, start, and stop containers as specified.

Exam trap

The trap here is that candidates confuse the container runtime (which actually runs containers) with the kubelet (which ensures the desired state from Pod manifests), leading them to pick 'container runtime' instead of 'kubelet'.

How to eliminate wrong answers

Option B is wrong because kube-proxy is a network proxy that runs on each node, handling network rules and forwarding traffic for Services, not managing container lifecycle. Option C is wrong because the container runtime (e.g., containerd, CRI-O) is the software that actually runs containers, but it is not responsible for reconciling Pod manifests or ensuring desired state — that is the kubelet's job. Option D is wrong because kube-controller-manager runs as a control plane component (not on every node) and manages controllers like ReplicaSet and Node Controller, but does not directly interact with containers on individual nodes.

5
Multi-Selecthard

A pod is stuck in Pending state. Which THREE of the following are possible causes?

Select 3 answers
A.The pod specifies a nodeSelector that does not match any node
B.The container image does not exist
C.No node has enough CPU or memory to satisfy the pod's resource requests
D.The pod has a liveness probe that is failing
E.A PersistentVolumeClaim used by the pod is not bound
AnswersA, C, E

If no nodes have the required labels, the pod cannot be scheduled.

Why this answer

A pod enters a Pending state when it cannot be scheduled onto a node. A `nodeSelector` constraint requires the node to have specific labels; if no node matches, the scheduler cannot place the pod, leaving it Pending. This is a common scheduling failure cause.

Exam trap

CNCF often tests the distinction between scheduling failures (Pending) and runtime failures (CrashLoopBackOff, ImagePullBackOff), so candidates mistakenly attribute image or probe issues to the Pending state.

6
MCQmedium

You need to expose a set of pods running in the 'dev' namespace internally within the cluster on a stable IP. All pods have the label 'app: web'. Which kubectl command should you use?

A.kubectl expose deployment web --port=80 --target-port=8080 --name=web-service -n dev
B.kubectl create service clusterip web --tcp=80:8080 -n dev
C.kubectl run web --image=nginx --port=80 -n dev
D.kubectl expose pod web --port=80 --target-port=8080 --name=web-service -n dev
AnswerA

If the pods are managed by a Deployment named 'web', this creates a Service that targets the pods.

Why this answer

Option A is correct because it exposes the existing deployment named 'web' (which manages pods with label 'app: web') as a ClusterIP service, providing a stable internal IP and DNS name within the cluster. The `--port=80` sets the service port, and `--target-port=8080` maps to the container port, ensuring traffic reaches the pods correctly in the 'dev' namespace.

Exam trap

CNCF often tests the distinction between exposing a deployment (which uses a label selector for all pods) versus exposing a specific pod (which targets only that pod by name), leading candidates to choose Option D incorrectly.

How to eliminate wrong answers

Option B is wrong because `kubectl create service clusterip` requires a selector to match the pods, but the command does not specify `--clusterip` or a selector; it creates a service with no endpoints, leaving it non-functional. Option C is wrong because `kubectl run` creates a deployment or pod, not a service; it does not expose anything on a stable IP. Option D is wrong because `kubectl expose pod` targets a specific pod by name, not a set of pods with a label selector; it would expose only that single pod, not the entire set, and the pod name 'web' likely does not exist.

7
MCQhard

You apply the following YAML: apiVersion: apps/v1 kind: Deployment metadata: name: web-deploy spec: replicas: 3 selector: matchLabels: app: web template: metadata: labels: app: web spec: containers: - name: nginx image: nginx:1.21 But the Deployment never creates any Pods. Which field is missing or incorrect?

A.The field 'spec.selector' is missing, which is required for Deployment
B.The 'replicas' field is set to 0
C.The 'containers' field is misspelled as 'container'
D.The 'apiVersion' should be 'v1'
AnswerA

Deployments require a 'selector' field to know which Pods to manage.

Why this answer

The Deployment YAML is syntactically correct and valid, but it will never create Pods because the `spec.selector` field is missing. In Kubernetes, a Deployment requires a `spec.selector` to identify which Pods it manages; without it, the Deployment controller cannot match the Pod template to a ReplicaSet, so no Pods are created. The provided YAML has `selector` under `spec`, but it is not the required `spec.selector` — the field is present but incorrectly placed or missing entirely in the context of the Deployment spec.

Exam trap

CNCF often tests the misconception that the `selector` field is optional or that the `template.metadata.labels` alone suffice, but the `spec.selector` is mandatory and must match the template labels for the Deployment to function.

How to eliminate wrong answers

Option B is wrong because the `replicas` field is set to 3, not 0, so this is not the cause of the issue. Option C is wrong because the `containers` field is correctly spelled as `containers` in the YAML, not misspelled as `container`. Option D is wrong because `apiVersion: apps/v1` is the correct version for a Deployment in modern Kubernetes (v1.16+), and using `v1` would be incorrect as it does not support Deployments.

8
MCQmedium

You need to run a stateless web application with three replicas, and you want to ensure that if a pod fails, it is automatically replaced. Which Kubernetes resource should you use?

A.DaemonSet
B.Job
C.StatefulSet
D.Deployment
AnswerD

Deployment creates a ReplicaSet to maintain the desired number of pod replicas and supports rolling updates.

Why this answer

A Deployment manages ReplicaSets and provides declarative updates, including self-healing by recreating failed pods. A DaemonSet runs a pod on each node, a Job runs a batch task, and a StatefulSet is for stateful applications.

9
MCQmedium

Which kubectl command would you use to view the logs of a specific container named 'app' in a multi-container Pod named 'web-pod'?

A.kubectl log web-pod container app
B.kubectl logs web-pod app
C.kubectl logs web-pod -c app
D.kubectl logs app web-pod
AnswerC

The -c flag specifies the container name in a multi-container Pod.

Why this answer

Option C is correct because the `kubectl logs` command uses the `-c` flag to specify a container name within a multi-container Pod. The correct syntax is `kubectl logs <pod-name> -c <container-name>`, which targets the 'app' container inside 'web-pod'.

Exam trap

The trap here is that candidates often forget the `-c` flag and assume `kubectl logs web-pod app` works by positional arguments, but Kubernetes requires the explicit `-c` flag for multi-container Pods.

How to eliminate wrong answers

Option A is wrong because `kubectl log` is not a valid command; the correct verb is `logs`. Option B is wrong because it omits the `-c` flag, which is required to specify a container in a multi-container Pod; without it, `kubectl logs` defaults to the first container or fails if multiple containers exist. Option D is wrong because the argument order is reversed; the pod name must come first, followed by the `-c` flag and container name.

10
MCQeasy

What is the role of the kubelet on a worker node?

A.It ensures containers are running in a Pod as specified
B.It stores cluster state
C.It manages network rules for Services
D.It runs the container runtime
AnswerA

kubelet receives Pod specifications and works with the container runtime to maintain them.

Why this answer

kubelet is the primary node agent that ensures containers are running and healthy according to Pod specifications.

11
MCQmedium

Which Kubernetes object provides stable network endpoints and load balancing for a set of Pods?

A.NetworkPolicy
B.Deployment
C.Ingress
D.Service
AnswerD

Services provide stable endpoints and load balancing.

Why this answer

A Service provides a stable IP and DNS name, and distributes traffic across Pods matching its selector.

12
MCQeasy

What is the primary purpose of Kubernetes?

A.To provide a graphical interface for managing containers
B.To replace virtual machines with containers
C.To compile container images from source code
D.To orchestrate containers across a cluster of machines
AnswerD

This is the core purpose of Kubernetes.

Why this answer

Kubernetes is a container orchestration platform that automates deployment, scaling, and management of containerized applications.

13
MCQmedium

Which command would you use to view the logs of a container named 'web' in a pod named 'frontend' running in the 'production' namespace?

A.kubectl logs -c web frontend --namespace production
B.kubectl logs frontend -c web -n production
C.kubectl logs frontend -n production container web
D.kubectl logs frontend web --namespace production
AnswerB

Correct syntax: kubectl logs <pod> -c <container> -n <namespace>.

Why this answer

Option B is correct because the `kubectl logs` command requires the pod name as the first positional argument, and the `-c` flag specifies the container name when a pod has multiple containers. The `-n` flag sets the namespace. The correct syntax is `kubectl logs <pod-name> -c <container-name> -n <namespace>`, which matches option B exactly.

Exam trap

CNCF often tests the correct ordering of flags and positional arguments in `kubectl` commands, specifically that the `-c` container flag must come after the pod name, not before, and that omitting it when a pod has multiple containers will not target the intended container.

How to eliminate wrong answers

Option A is wrong because it places the `-c web` flag before the pod name, which is syntactically incorrect; the `-c` flag must follow the pod name. Option C is wrong because it uses an invalid positional argument 'container' after the pod name; `kubectl logs` does not accept a literal 'container' keyword. Option D is wrong because it omits the `-c` flag entirely, so it would attempt to view logs from the pod's default container (or fail if the pod has multiple containers and no default is defined), not specifically from the container named 'web'.

14
Multi-Selectmedium

Which TWO of the following are valid ways to expose a Deployment as a Service?

Select 2 answers
A.Run 'kubectl expose deployment my-deployment --port=80 --target-port=8080'
B.Edit the Deployment and set 'spec.serviceName'
C.Run 'kubectl run my-deployment --image=nginx --expose'
D.Add a 'service' section to the Deployment's YAML manifest
E.Create a Service YAML with a selector matching the Deployment's pod labels
AnswersA, E

This command creates a Service based on the Deployment's pod labels.

Why this answer

You can create a Service that selects pods by their labels. Using 'kubectl expose deployment' creates a Service from a Deployment. Writing a Service YAML manifest and applying it also works.

Editing the Deployment's spec does not create a Service, and 'kubectl run' with --expose creates a pod and service, but not from an existing Deployment.

15
MCQhard

You have a Deployment that uses a ConfigMap for configuration. You update the ConfigMap with new data. However, the pods in the Deployment continue to use the old configuration. What is the most likely reason?

A.The ConfigMap data is immutable and cannot be updated
B.The ConfigMap is referenced by a different name in the pod spec
C.The ConfigMap is mounted as a volume, and the pods have not been restarted
D.The Deployment's update strategy is set to Recreate
AnswerC

When a ConfigMap is mounted as a volume, the files are updated eventually, but the application may not automatically reload the configuration. For environment variables, the pod must be restarted. In either case, without a restart, the old configuration is used.

Why this answer

When a ConfigMap is mounted as a volume in a Pod, updates to the ConfigMap are automatically propagated to the mounted files, but the running process inside the container does not automatically reload the configuration. The Pod must be restarted (e.g., by rolling update or manual deletion) for the application to read the new values. This is the most common reason for stale configuration in a Deployment.

Exam trap

CNCF often tests the misconception that updating a ConfigMap automatically updates running Pods, when in fact the Pod must be restarted (or the application must watch for file changes) for the new configuration to take effect.

How to eliminate wrong answers

Option A is wrong because ConfigMaps are not immutable by default; they can be updated unless the `immutable` field is explicitly set to `true`. Option B is wrong because if the ConfigMap were referenced by a different name, the Pod would fail to start or mount, not silently use old data. Option D is wrong because the `Recreate` update strategy would terminate all Pods and create new ones, which would pick up the updated ConfigMap; it does not cause stale configuration.

16
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete the namespace and redeploy all workloads
B.Increase the memory limit in the pod's container resource specification
C.Delete and recreate the pod to clear the crash loop
D.Increase the CPU request for the container
AnswerB

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

17
Multi-Selectmedium

Which two components are part of the Kubernetes control plane? (Select TWO.)

Select 2 answers
A.kube-apiserver
B.container runtime
C.kube-proxy
D.kubelet
E.etcd
AnswersA, E

API server is a control plane component.

Why this answer

The Kubernetes control plane manages the cluster and makes global decisions. kube-apiserver is the front-end for the control plane, exposing the Kubernetes API for all interactions. etcd is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data, making it a core control plane component.

Exam trap

CNCF often tests the distinction between control plane and worker node components, and the trap here is that candidates confuse kubelet or kube-proxy (which run on every node) with control plane components because they are essential to cluster operation but are not part of the control plane itself.

18
MCQhard

You have a Pod that needs to run a one-time batch job to completion. Which resource type should you use?

A.Job
B.StatefulSet
C.DaemonSet
D.Deployment
AnswerA

Jobs run Pods to completion.

Why this answer

A Job resource is designed for running a finite task to completion, such as a batch job or a one-time computation. Unlike controllers that maintain a desired number of replicas indefinitely, a Job creates one or more Pods and tracks their successful termination. Once the specified number of completions is reached, the Job is considered finished and no further Pods are created.

Exam trap

The trap here is that candidates often confuse a Job with a Deployment, thinking that any workload that runs a container should use a Deployment, but Deployments are designed for long-running services, not ephemeral batch tasks.

How to eliminate wrong answers

Option B (StatefulSet) is wrong because StatefulSets are used for stateful applications that require stable, unique network identities and persistent storage, not for one-time batch jobs. Option C (DaemonSet) is wrong because DaemonSets ensure that a copy of a Pod runs on every (or selected) node in the cluster, typically for daemon-like services such as logging or monitoring, not for tasks that run to completion. Option D (Deployment) is wrong because Deployments manage a set of identical Pods with a desired replica count, ensuring they are always running and self-healing, which is the opposite of a one-time batch job that should terminate upon success.

19
MCQeasy

Which of the following is a worker node component responsible for ensuring that containers are running in a pod as specified in the pod's spec?

A.kube-scheduler
B.kube-proxy
C.kubelet
D.etcd
AnswerC

The kubelet ensures that containers are running in a pod as specified.

Why this answer

The kubelet is the primary node agent that runs on each worker node. It receives PodSpecs (via the API server or a file) and ensures that the containers described in those PodSpecs are running and healthy. It does this by interacting with the container runtime (e.g., containerd or CRI-O) to start, stop, and monitor containers as required.

Exam trap

CNCF often tests the distinction between control plane components (scheduler, etcd) and worker node agents (kubelet, kube-proxy), and the trap here is confusing the kubelet's role of running containers with the kube-scheduler's role of placing pods onto nodes.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is a control plane component responsible for assigning pods to nodes based on resource requirements and constraints, not for running containers on a node. Option B is wrong because kube-proxy is a network proxy that runs on each node, handling network rules (e.g., iptables or IPVS) for service abstraction and pod-to-service communication, not container lifecycle management. Option D is wrong because etcd is a distributed key-value store used as Kubernetes' backing store for all cluster data, not a node-level component that manages containers.

20
MCQmedium

Which component on a worker node is responsible for enforcing the network rules and implementing Service abstractions?

A.kube-proxy
B.kubelet
C.container runtime
D.kube-scheduler
AnswerA

kube-proxy maintains network rules for Service connectivity.

Why this answer

kube-proxy runs on each node and handles network proxying and load balancing for Services.

21
MCQmedium

You have a Deployment named 'web-app' that manages 3 replicas. You need to update the container image from version 1.0 to 2.0 with zero downtime. Which Kubernetes feature is designed to handle this automatically when you update the Deployment's pod template?

A.ReplicationController
B.Rolling update strategy in the Deployment
C.DaemonSet
D.StatefulSet's onDelete strategy
AnswerB

The rolling update strategy is the default update strategy for Deployments, enabling gradual pod replacement with zero downtime.

Why this answer

The correct answer is B because a Deployment's default update strategy is 'RollingUpdate', which automatically replaces old Pods with new ones in a controlled manner, ensuring zero downtime by incrementally scaling down old replicas and scaling up new replicas. When you update the container image in the Deployment's pod template, Kubernetes triggers a rolling update that maintains the desired number of replicas throughout the process.

Exam trap

The trap here is that candidates may confuse the Deployment's automatic rolling update with manual update methods (like onDelete) or think that a ReplicationController or DaemonSet can handle zero-downtime updates in the same way, but only the Deployment's RollingUpdate strategy provides this out-of-the-box behavior for stateless applications.

How to eliminate wrong answers

Option A is wrong because a ReplicationController does not support rolling updates natively; it only ensures a specified number of Pod replicas are running, and updating its pod template requires manual deletion and recreation of Pods, causing downtime. Option C is wrong because a DaemonSet ensures that a copy of a Pod runs on all (or a subset of) nodes, and it is not designed for managing stateless application replicas with zero-downtime updates; its update strategy can be RollingUpdate or OnDelete, but it is not the feature intended for a Deployment like 'web-app'. Option D is wrong because StatefulSet's onDelete strategy requires manual Pod deletion to trigger updates, which does not provide automatic zero-downtime updates; StatefulSets are designed for stateful applications and their default update strategy is RollingUpdate, but the question asks about a Deployment, not a StatefulSet.

22
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Pod
B.Deployment
C.Node
D.Container
AnswerA

A Pod is the smallest deployable unit that can be created and managed in Kubernetes.

Why this answer

Option A is correct. A Pod is the smallest and simplest unit in Kubernetes. It represents a single instance of a running process and can contain one or more containers.

Containers themselves are not directly managed by Kubernetes; they are encapsulated in Pods.

23
MCQmedium

A Deployment manages ReplicaSets and supports rolling updates. You want to change the container image of a Deployment without downtime. What is the recommended approach?

A.Use kubectl expose to update the image on the service
B.Delete the existing Deployment and create a new one with the updated image
C.Edit the Deployment's pod template spec to use the new image; the Deployment will automatically perform a rolling update
D.Manually delete all pods one by one; they will be recreated with the new image by the ReplicaSet
AnswerC

Changing the pod template triggers a rolling update managed by the Deployment.

Why this answer

The correct approach is to update the Deployment's pod template (e.g., spec.template.spec.containers[0].image) and apply the change. The Deployment controller then performs a rolling update by gradually replacing pods with the new image.

24
Multi-Selectmedium

Which THREE of the following are valid options for the 'kubectl get' command to display output in different formats?

Select 3 answers
A.-o verbose
B.-o wide
C.-o json
D.-o yaml
E.--describe
AnswersB, C, D

Output with additional details.

Why this answer

Option B is correct because `kubectl get -o wide` is a valid output format that displays additional details such as node names and internal IPs for pods, or cluster IPs and ports for services, beyond the default summary columns. This is a standard kubectl output flag for human-readable extended output.

Exam trap

CNCF often tests the distinction between output format flags (`-o`) and separate subcommands (`describe`), trapping candidates who confuse `--describe` with `-o wide` or think `-o verbose` is a real format.

25
Multi-Selecthard

Which three of the following are valid ways to expose a service externally in Kubernetes? (Select THREE.)

Select 3 answers
A.Ingress
B.ExternalName
C.NodePort
D.LoadBalancer
E.ClusterIP
AnswersA, C, D

Ingress provides HTTP/S routing and can expose services externally.

Why this answer

Ingress is correct because it provides HTTP/HTTPS-based external access to services using host-based or path-based routing rules, typically via an Ingress controller (e.g., NGINX, Traefik). It exposes a service externally by defining rules that map external traffic to internal ClusterIP services, making it a valid method for external exposure.

Exam trap

The trap here is that candidates often confuse ExternalName as an external exposure method because of its name, but it only creates a DNS alias within the cluster and does not expose the service to external clients.

26
MCQhard

A cluster has a node with the taint 'node-role.kubernetes.io/control-plane:NoSchedule'. A pod must be scheduled on this node for a special workload. Which action is required?

A.Use a nodeSelector to select the node.
B.Remove the taint from the node.
C.Add a toleration to the pod spec.
D.Use podAffinity to attract the pod to the node.
AnswerC

Correct; toleration allows the pod to be scheduled on the tainted node.

Why this answer

Option C is correct because a taint on a node causes the scheduler to avoid placing pods on that node unless the pod explicitly tolerates the taint. By adding a toleration in the pod spec that matches the taint key, effect, and optionally the value, the pod becomes eligible to be scheduled on the tainted node. This is the standard Kubernetes mechanism for allowing pods to run on control-plane or other specially tainted nodes.

Exam trap

The trap here is that candidates confuse nodeSelector (label-based) with tolerations (taint-based), thinking that selecting a node by label can override a taint, when in fact taints are a separate, higher-priority scheduling constraint.

How to eliminate wrong answers

Option A is wrong because a nodeSelector only matches node labels, not taints; it cannot override the scheduling restriction imposed by a NoSchedule taint. Option B is wrong because removing the taint would affect all pods and is unnecessary when only a specific pod needs to run on that node; it also violates the principle of least privilege. Option D is wrong because podAffinity attracts pods based on labels of other pods, not node-level taints, and does not bypass the NoSchedule effect.

27
MCQmedium

You want to update a Deployment's container image from 'nginx:1.20' to 'nginx:1.21' and record the change. Which kubectl command should you use?

A.kubectl edit deployment nginx
B.kubectl apply -f deployment.yaml
C.kubectl set image deployment/nginx nginx=nginx:1.21 --record
D.kubectl set image deployment/nginx nginx=nginx:1.21
AnswerC

The --record flag annotates the change for history.

Why this answer

kubectl set image deployment/<name> <container>=<image> --record records the command in the rollout history.

28
MCQhard

You create a Service of type ClusterIP in the 'default' namespace. You try to reach the Service from a pod in the 'production' namespace using the service name. The connection fails. What is the most likely reason?

A.The pod cannot resolve the DNS name because service DNS names are only resolvable within the same namespace
B.Cross-namespace service access is not allowed by default
C.The service has no endpoints
D.The service port is not correctly configured
AnswerA

DNS resolution for services is namespace-scoped; you need to use the FQDN.

Why this answer

Service DNS names are scoped to namespaces. To access a service in another namespace, you must use the fully qualified name: <service>.<namespace>.svc.cluster.local.

29
MCQhard

You have a Deployment that runs a web application. You need to expose this application externally on a fixed port using a cloud load balancer. Which Service type should you use?

A.NodePort
B.LoadBalancer
C.ExternalName
D.ClusterIP
AnswerB

LoadBalancer provisions an external load balancer and assigns a fixed external IP.

Why this answer

A LoadBalancer Service type provisions an external cloud load balancer (e.g., AWS ELB, GCP TCP/UDP Load Balancer) that exposes the application on a fixed port (typically 80/443) and distributes traffic to the Pods. This is the correct choice because the requirement explicitly asks for a cloud load balancer with a fixed external port, which is exactly what LoadBalancer provides by integrating with the underlying cloud provider's API.

Exam trap

CNCF often tests the misconception that NodePort is sufficient for external access, but the question's requirement for a 'cloud load balancer' and 'fixed port' (like 80/443) disqualifies NodePort because it uses a high port range and lacks cloud LB integration.

How to eliminate wrong answers

Option A is wrong because NodePort exposes the application on a static port on each node's IP (range 30000-32767), not via a cloud load balancer, and does not provide a fixed external port like 80 or 443. Option C is wrong because ExternalName maps a Service to a DNS name (CNAME record) and does not expose any ports or provide load balancing; it is used for external service discovery, not for exposing an application externally. Option D is wrong because ClusterIP exposes the Service only on a cluster-internal IP, making it unreachable from outside the cluster without additional components like an Ingress or a proxy.

30
MCQmedium

Which component runs on every node and is responsible for maintaining network rules that allow communication to Pods from network endpoints?

A.kube-controller-manager
B.kube-proxy
C.container runtime
D.kubelet
AnswerB

kube-proxy maintains network rules for service connectivity.

Why this answer

kube-proxy runs on each node and implements network rules (e.g., iptables, IPVS) to manage service-to-pod communication.

31
MCQeasy

You want to view the logs of a running pod named 'my-pod'. Which kubectl command should you use?

A.kubectl exec my-pod -- cat /var/log/container.log
B.kubectl logs my-pod
C.kubectl get pod my-pod -o yaml
D.kubectl describe pod my-pod
AnswerB

This prints the pod's logs.

Why this answer

kubectl logs <pod-name> fetches logs from the container(s) in the pod.

32
Multi-Selectmedium

Which THREE of the following are valid types of Kubernetes Services? (Select THREE)

Select 3 answers
A.InternalIP
B.LoadBalancer
C.NodePort
D.ExternalName
E.ClusterIP
AnswersB, C, E

LoadBalancer exposes the Service externally via a cloud provider's load balancer.

Why this answer

ClusterIP, NodePort, and LoadBalancer are standard Service types. ExternalName is also valid, but InternalIP is not a Service type.

33
MCQmedium

What is the purpose of kube-proxy on a worker node?

A.To run the container runtime
B.To store cluster configuration data
C.To implement network rules and handle service traffic routing
D.To monitor pod health and restart unhealthy containers
AnswerC

kube-proxy configures iptables or IPVS rules to route traffic to the correct Pods.

Why this answer

Option C is correct because kube-proxy is the component responsible for implementing network rules on each worker node, enabling service abstraction by managing IP tables or IPVS rules to route traffic to the appropriate pods. It handles service discovery and load balancing for ClusterIP, NodePort, and LoadBalancer service types, ensuring that traffic destined for a service is correctly forwarded to healthy pod endpoints.

Exam trap

CNCF often tests the misconception that kube-proxy handles pod health checks and restarts, but that is actually the kubelet's job, while kube-proxy only deals with network traffic routing and service abstraction.

How to eliminate wrong answers

Option A is wrong because the container runtime (e.g., containerd, CRI-O) is a separate component that runs containers, not kube-proxy. Option B is wrong because cluster configuration data is stored in etcd, a distributed key-value store, not in kube-proxy. Option D is wrong because monitoring pod health and restarting unhealthy containers is the responsibility of the kubelet, specifically through liveness probes and pod lifecycle management, not kube-proxy.

34
MCQmedium

Which Kubernetes resource provides stable network endpoints for a set of pods, enabling service discovery and load balancing?

A.Service
B.NetworkPolicy
C.Ingress
D.EndpointSlice
AnswerA

A Service provides a stable endpoint and load balancing for a set of pods, enabling service discovery within the cluster.

Why this answer

A Service is the correct Kubernetes resource because it provides a stable virtual IP (ClusterIP) and DNS name that persists independently of pod lifecycles, enabling reliable service discovery and client-side load balancing across a set of pods selected by labels. This abstraction decouples clients from ephemeral pod IPs, ensuring traffic is routed to healthy pods via kube-proxy and iptables/IPVS rules.

Exam trap

CNCF often tests the misconception that Ingress provides load balancing and stable endpoints directly to pods, when in fact Ingress only routes external traffic to a Service, which is the actual resource providing those capabilities.

How to eliminate wrong answers

Option B is wrong because NetworkPolicy is a firewall rule that controls ingress/egress traffic at the pod level using IP blocks or label selectors, but it does not provide stable network endpoints or load balancing. Option C is wrong because Ingress is an API object that manages external HTTP/HTTPS routing to Services (typically via a controller like NGINX), but it does not itself provide stable endpoints or load balance directly to pods; it relies on a Service for that. Option D is wrong because EndpointSlice is a lower-level resource that tracks the actual pod IPs and ports backing a Service, but it is a data object consumed by kube-proxy, not a resource that provides stable endpoints or load balancing on its own.

35
MCQmedium

A Pod has been in 'Pending' state for an unusual amount of time. Which of the following is a likely cause?

A.The container image is invalid
B.The Pod's liveness probe is failing
C.The cluster does not have enough resources to schedule the Pod
D.The Service pointing to the Pod is misconfigured
AnswerC

Pending often means the scheduler cannot find a node with sufficient resources.

Why this answer

Pending state indicates the Pod has not been scheduled. Insufficient cluster resources (CPU/memory) is a common reason.

36
MCQmedium

Which resource type provides a stable IP address and DNS name to access a set of Pods, regardless of Pod IP changes?

A.Ingress
B.ConfigMap
C.Deployment
D.Service
AnswerD

Services provide stable networking for Pods.

Why this answer

A Service provides a stable endpoint (IP and DNS) that load-balances traffic to a set of pods selected by labels.

37
Multi-Selectmedium

Which TWO statements about Kubernetes Services are correct?

Select 2 answers
A.A Service can only route traffic to Pods in the same namespace
B.A Service can only be of type ClusterIP
C.A Service automatically scales Pods based on load
D.A Service provides a stable IP address for Pods
E.A Service uses selectors to identify target Pods
AnswersD, E

Services have a virtual IP that remains stable even as Pods change.

Why this answer

Option D is correct because a Kubernetes Service provides a stable virtual IP address that remains constant even as the underlying Pods are created, destroyed, or rescheduled. This decouples clients from the ephemeral nature of Pod IPs, ensuring reliable connectivity within the cluster.

Exam trap

The trap here is that candidates often confuse the Service's role in providing a stable IP with the idea that it also handles scaling, or they mistakenly think Services are restricted to a single namespace or type, when in fact they are flexible across namespaces and types.

38
MCQmedium

A user runs 'kubectl get pods -n production' and sees no output. What is the most likely reason?

A.The kube-apiserver is down
B.There are no pods in the 'production' namespace
C.The user does not have permissions to list pods
D.The namespace does not exist
AnswerB

If the namespace exists but has no pods, the command returns no output.

Why this answer

If no pods exist in the namespace, kubectl returns no output (no resources found).

39
MCQhard

You have a Pod with a container that runs a web server. The Pod has a memory request of 256Mi and a memory limit of 512Mi. The container attempts to allocate 600Mi of memory. What happens?

A.The memory limit is automatically increased to 600Mi
B.The container is killed by the OOM killer, and the Pod enters CrashLoopBackOff
C.The Pod is evicted from the node
D.The container is allowed to use up to 600Mi because the limit is a soft constraint
AnswerB

Exceeding the memory limit triggers OOM kill; the container restarts and may crash again.

Why this answer

When a container exceeds its memory limit, the kernel OOM killer terminates the container. The container may be restarted by the kubelet depending on the restart policy.

40
Multi-Selecthard

Which THREE of the following are valid fields in a Kubernetes Deployment spec (apps/v1)?

Select 3 answers
A.replicas
B.template
C.selector
D.containers
E.nodeName
AnswersA, B, C

Specifies the desired number of pods.

Why this answer

Option A is correct because the `replicas` field is a standard part of the Deployment spec under `apps/v1`, defining the desired number of Pod replicas. Option B is correct because the `template` field is mandatory, containing the Pod template that describes the Pods to be created. Option C is correct because the `selector` field is required to match the Pods managed by the Deployment, ensuring the ReplicaSet controls the correct Pods.

Exam trap

CNCF often tests the distinction between fields that belong to the Deployment spec versus fields that belong to the Pod spec, so candidates mistakenly select `containers` or `nodeName` as top-level Deployment fields.

41
MCQmedium

You want to expose a set of pods running a web application on port 80 internally within the cluster, with a stable IP address, so that other services can reach them. Which Kubernetes resource should you create?

A.Service (ClusterIP)
B.Ingress
C.Deployment
D.Pod
AnswerA

A Service provides a stable IP and load-balances traffic to pods.

Why this answer

A Service of type ClusterIP provides a stable internal IP and DNS name for a set of pods.

42
MCQeasy

What is the primary purpose of Kubernetes?

A.To compile source code
B.To orchestrate containers across a cluster
C.To run virtual machines
D.To manage physical servers
AnswerB

Kubernetes automates the deployment, scaling, and management of containerized applications.

Why this answer

Kubernetes is a container orchestration platform designed to automate the deployment, scaling, and management of containerized applications across a cluster of nodes. Its primary purpose is to abstract the underlying infrastructure and provide a declarative way to run and manage containers, ensuring desired state and self-healing. This directly corresponds to orchestrating containers across a cluster, not compiling code, running VMs, or managing physical servers.

Exam trap

CNCF often tests the misconception that Kubernetes is a general-purpose infrastructure manager, but the trap here is confusing container orchestration with VM management or physical server administration, leading candidates to pick Option C or D.

How to eliminate wrong answers

Option A is wrong because Kubernetes does not compile source code; compilation is handled by build tools like Docker or language-specific compilers, while Kubernetes only runs the resulting container images. Option C is wrong because Kubernetes is designed for containers, not virtual machines; it can orchestrate VMs via providers like KubeVirt, but that is a specialized extension, not its primary purpose. Option D is wrong because Kubernetes abstracts physical servers into a cluster and manages container workloads, not the physical hardware itself; hardware management is the role of infrastructure tools like IPMI or provisioning systems.

43
MCQeasy

Which kubectl command would you use to view detailed information about a specific pod, including events and container status?

A.kubectl explain pod
B.kubectl get pod <pod-name>
C.kubectl logs pod <pod-name>
D.kubectl describe pod <pod-name>
AnswerD

This command provides a detailed description of the pod including events and container statuses.

Why this answer

Option D is correct because `kubectl describe pod <pod-name>` provides a comprehensive view of a pod's metadata, spec, status, conditions, container resource usage, and a chronological list of events (e.g., scheduling, pulling images, container restarts). This command aggregates information from the Kubernetes API server, including the pod's current state and lifecycle events, which is essential for debugging pod failures or unexpected behavior.

Exam trap

CNCF often tests the distinction between `kubectl get` (summary) and `kubectl describe` (detailed with events), expecting candidates to know that only `describe` surfaces the event stream and container state transitions needed for troubleshooting.

How to eliminate wrong answers

Option A is wrong because `kubectl explain pod` only displays the API documentation for the Pod resource schema (fields and descriptions), not runtime details or events about a specific pod instance. Option B is wrong because `kubectl get pod <pod-name>` outputs a concise summary (name, status, restarts, age) but omits detailed container status, conditions, and events. Option C is wrong because `kubectl logs pod <pod-name>` retrieves only the stdout/stderr output from the pod's containers, not the pod's metadata, status, or Kubernetes events.

44
MCQhard

A Service of type ClusterIP has been created, but pods in the same namespace cannot reach it by its DNS name. The Service selector matches the pods. What is a likely cause?

A.The Service YAML does not specify a port
B.The kube-dns or CoreDNS pod is not running
C.The Service is not exposed on a node port
D.The pods are using an incorrect container runtime
AnswerB

DNS resolution is provided by CoreDNS; if it is down, DNS names cannot be resolved.

Why this answer

CoreDNS provides DNS service discovery for Services. If it is not running or misconfigured, DNS resolution will fail.

45
MCQhard

You need to run a one-time batch job that processes data and then exits. The job should run to completion and not be restarted. Which Kubernetes resource should you use?

A.DaemonSet
B.Job
C.Deployment
D.StatefulSet
AnswerB

Jobs are designed for batch processing and run to completion.

Why this answer

A Kubernetes Job is designed for one-time batch processing tasks that run to completion and are not restarted. It creates one or more Pods and ensures they successfully terminate, making it the correct choice for a non-repeating, finite workload.

Exam trap

CNCF often tests the distinction between a Job and a CronJob, where candidates might mistakenly choose a CronJob for a one-time task, or confuse a Job's restart behavior with that of a Deployment's rolling update.

How to eliminate wrong answers

Option A is wrong because a DaemonSet ensures that a copy of a Pod runs on all (or a subset of) nodes, typically for long-running services like log collectors or monitoring agents, not for one-time batch jobs. Option C is wrong because a Deployment manages a set of identical Pods to maintain a desired replica count for long-running, stateless applications, and it will restart Pods if they exit, which contradicts the requirement that the job should not be restarted. Option D is wrong because a StatefulSet is used for stateful applications that require stable, unique network identities and persistent storage, such as databases, and is not intended for ephemeral batch processing.

46
Multi-Selecteasy

Which two commands are valid for viewing information about pods in a namespace named 'production'?

Select 2 answers
A.kubectl logs pods -n production
B.kubectl get pods -n production
C.kubectl get all -n production
D.kubectl run pod --image=nginx -n production
E.kubectl describe pod <pod-name> -n production
AnswersB, E

Correct.

Why this answer

kubectl get pods and kubectl describe pod are standard commands.

47
Multi-Selecthard

Which three components are part of the Kubernetes control plane?

Select 3 answers
A.kube-controller-manager
B.kube-proxy
C.kube-scheduler
D.kube-apiserver
E.kubelet
AnswersA, C, D

Correct.

Why this answer

The control plane consists of kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy run on nodes.

48
MCQeasy

Which component of the Kubernetes control plane is responsible for persisting the cluster state?

A.kube-scheduler
B.kube-controller-manager
C.etcd
D.kube-apiserver
AnswerC

etcd is the cluster's database, storing all cluster data.

Why this answer

etcd is a distributed key-value store that stores the entire configuration and state of the Kubernetes cluster.

49
Multi-Selectmedium

Which TWO of the following components are part of the Kubernetes control plane? (Select 2)

Select 2 answers
A.container runtime
B.kube-apiserver
C.kubelet
D.etcd
E.kube-proxy
AnswersB, D

It is the API server, central to the control plane.

Why this answer

The control plane consists of kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy run on worker nodes.

50
MCQhard

You have a Deployment that manages 3 replicas. You want to perform a rolling update with a maximum of 2 Pods unavailable during the update. Which field should you set in the Deployment spec?

A.spec.strategy.rollingUpdate.maxUnavailable
B.spec.minReadySeconds
C.spec.strategy.rollingUpdate.maxSurge
D.spec.replicas
AnswerA

maxUnavailable defines the maximum number of Pods that can be unavailable during the update.

Why this answer

maxUnavailable in the rolling update strategy controls how many Pods can be unavailable during the update.

51
MCQmedium

You have a Pod with a container that needs to read sensitive data such as a database password. Which Kubernetes resource should you use to store this data?

A.PersistentVolume
B.Secret
C.ServiceAccount
D.ConfigMap
AnswerB

Secrets store sensitive data and can be mounted as volumes or environment variables.

Why this answer

Secrets are designed to store sensitive information like passwords, tokens, or keys.

52
Multi-Selectmedium

Which THREE of the following are valid Kubernetes resource types that can be used to store configuration data or secrets?

Select 2 answers
A.Secret
B.Volume
C.PersistentVolumeClaim
D.ServiceAccount
E.ConfigMap
AnswersA, E

Why this answer

Option A is correct because a Secret is a dedicated Kubernetes resource type designed to store sensitive data, such as passwords, OAuth tokens, and SSH keys, in a base64-encoded format. Secrets are stored in etcd and can be mounted as volumes or exposed as environment variables, with optional encryption at rest to protect sensitive configuration data.

Exam trap

CNCF often tests the misconception that Volumes or PersistentVolumeClaims can store configuration data or secrets, but they are storage abstractions for arbitrary data, not the dedicated key-value resources (ConfigMap and Secret) designed for configuration and secrets management.

53
Multi-Selecteasy

Which TWO of the following are valid ways to view the logs of a pod named 'my-pod'?

Select 2 answers
A.kubectl describe pod my-pod
B.kubectl exec my-pod -- cat /var/log/app.log
C.kubectl logs my-pod
D.kubectl run my-pod -- logs
E.kubectl attach my-pod
AnswersB, C

If the application writes logs to a file, this command can retrieve them.

Why this answer

Option B is correct because `kubectl exec my-pod -- cat /var/log/app.log` runs the `cat` command inside the container of the pod, allowing you to read a specific log file directly from the filesystem. This is a valid method when the application writes logs to a file rather than stdout/stderr, or when you need to inspect a log file that is not captured by the standard logging driver.

Exam trap

The trap here is that candidates may confuse `kubectl describe` (which shows pod events and status) with `kubectl logs` (which shows actual application output), or assume `kubectl attach` can retrieve past logs when it only connects to the live process stream.

54
Multi-Selectmedium

Which THREE of the following are valid ways to create a Kubernetes resource using kubectl?

Select 3 answers
A.kubectl exec -it pod-name -- /bin/bash
B.kubectl run nginx --image=nginx
C.kubectl logs pod-name
D.kubectl create -f pod.yaml
E.kubectl apply -f deployment.yaml
AnswersB, D, E

Creates a deployment or pod running the specified image.

Why this answer

Option B is correct because `kubectl run nginx --image=nginx` creates a Pod imperatively, which is a valid way to create a Kubernetes resource directly from the command line without a manifest file. This command generates a Pod named 'nginx' using the specified container image, and it is a supported method for quick testing or ad-hoc resource creation.

Exam trap

CNCF often tests the distinction between commands that create resources versus commands that interact with existing resources, so candidates may mistakenly think `kubectl exec` or `kubectl logs` can create resources because they are common kubectl commands.

55
MCQmedium

Which kubectl command would you use to view the logs of a container named 'web' inside a Pod named 'app-12345'?

A.kubectl logs app-12345 -c web
B.kubectl logs -p web app-12345
C.kubectl logs app-12345 --container=web
D.kubectl logs web app-12345
AnswerA

Correct syntax: pod name first, then -c flag for container.

Why this answer

Option A is correct because `kubectl logs app-12345 -c web` explicitly specifies the container name 'web' within the Pod 'app-12345' using the `-c` flag. This is the standard syntax for viewing logs of a specific container in a multi-container Pod, as the `kubectl logs` command defaults to the first container if `-c` is omitted.

Exam trap

CNCF often tests the distinction between the `-c` flag for container selection and the `-p` flag for previous container logs, and the correct argument order (`kubectl logs <pod> -c <container>` vs. `kubectl logs <container> <pod>`), which leads candidates to confuse the flags or the positional syntax.

How to eliminate wrong answers

Option B is wrong because `-p` is the flag for viewing logs of a previously terminated container, not for specifying a container name; the correct flag for container selection is `-c`, and the order of arguments is incorrect (container name should follow `-c`). Option C is wrong because `--container=web` is a valid alternative syntax, but the question asks for the command that would be used, and `-c web` is the standard short form; however, the provided answer options list A as correct, and C is not the most common or direct form in this context, but more importantly, the question's correct answer is A, and C is not listed as correct. Option D is wrong because the syntax `kubectl logs web app-12345` places the container name before the Pod name, which is invalid; the correct order is `kubectl logs <pod-name> -c <container-name>`.

56
MCQmedium

A DevOps engineer has created a ConfigMap named 'app-config' and wants to use it to set environment variables in a pod. Which field in the pod spec should reference the ConfigMap?

A.spec.containers[].command
B.spec.containers[].env.name
C.spec.containers[].volumeMounts
D.spec.containers[].envFrom
AnswerD

'envFrom' is used to reference a ConfigMap or Secret and inject all entries as environment variables.

Why this answer

The 'envFrom' field in a container spec allows injecting all key-value pairs from a ConfigMap as environment variables.

57
MCQmedium

An administrator wants to update the image of a Deployment named 'my-app' from 'nginx:1.19' to 'nginx:1.20' with a rolling update strategy. They want to ensure that during the update, the number of unavailable pods never exceeds 1. Which field should they set in the Deployment spec?

A.spec.replicas
B.spec.minReadySeconds
C.spec.strategy.rollingUpdate.maxSurge
D.spec.strategy.rollingUpdate.maxUnavailable
AnswerD

maxUnavailable sets the maximum number of pods that can be unavailable during a rolling update. Setting to 1 ensures at most one pod is down at a time.

Why this answer

Option D is correct because `spec.strategy.rollingUpdate.maxUnavailable` controls the maximum number of Pods that can be unavailable during a rolling update. Setting this to 1 ensures that at most one Pod is unavailable at any time, meeting the administrator's requirement. This field is part of the Deployment's rolling update strategy and directly governs the availability guarantee during the update process.

Exam trap

The trap here is that candidates often confuse `maxSurge` with `maxUnavailable`, mistakenly thinking that controlling how many extra Pods are created (surge) also limits unavailable Pods, but `maxSurge` only caps the number of Pods above the desired count, not the number that can be unavailable.

How to eliminate wrong answers

Option A is wrong because `spec.replicas` defines the desired number of Pod replicas, not the availability constraints during an update. Option B is wrong because `spec.minReadySeconds` controls how long a newly created Pod must be ready before it is considered available, but it does not limit the number of unavailable Pods during a rolling update. Option C is wrong because `spec.strategy.rollingUpdate.maxSurge` controls the maximum number of Pods that can be created above the desired replica count during an update, not the number of unavailable Pods.

58
MCQhard

A Deployment is configured with 'replicas: 5' and a rolling update strategy. During an update, you notice that the number of available pods drops to 3 momentarily. Which field in the Deployment spec can be adjusted to control the minimum number of pods available during a rolling update?

A.spec.strategy.rollingUpdate.maxSurge
B.spec.strategy.rollingUpdate.maxUnavailable
C.spec.minReadySeconds
D.spec.replicas
AnswerB

maxUnavailable controls how many pods can be unavailable during the update.

Why this answer

The 'maxUnavailable' field in the rolling update strategy specifies the maximum number of pods that can be unavailable during the update. Setting it to a lower value ensures more pods remain available.

59
MCQeasy

Which Kubernetes component is responsible for ensuring that the desired number of pod replicas is running in the cluster?

A.kubelet
B.kube-scheduler
C.kube-controller-manager
D.kube-apiserver
AnswerC

The controller manager runs controllers that handle replication, endpoints, etc.

Why this answer

The kube-controller-manager runs various controllers, including the ReplicaSet controller, which ensures that the desired number of pods is maintained.

60
Multi-Selecthard

Which TWO of the following are responsibilities of the kube-controller-manager?

Select 2 answers
A.Assigning pods to nodes
B.Storing cluster state
C.Managing endpoint objects for Services
D.Monitoring node health
E.Serving the Kubernetes API
AnswersC, D

Why this answer

The kube-controller-manager runs controllers that handle routine tasks. The Node controller watches the health of nodes. The Endpoint controller (now EndpointSlice controller) manages endpoints for Services.

Assigning pods to nodes is done by the scheduler. Storing cluster state is done by etcd. Serving the Kubernetes API is done by kube-apiserver.

61
MCQmedium

Which Kubernetes object can be used to store sensitive data, such as passwords or API keys, and inject them into pods?

A.PersistentVolume
B.ServiceAccount
C.Secret
D.ConfigMap
AnswerC

Secrets store sensitive data base64 encoded.

Why this answer

Secrets are designed to store sensitive information and can be mounted as volumes or environment variables.

62
MCQmedium

A Deployment is configured with 'replicas: 3'. After a node failure, only 2 pods are running. What component ensures that a new pod is scheduled to restore the desired replica count?

A.kube-scheduler
B.kube-controller-manager
C.kubelet
D.kube-proxy
AnswerB

The controller manager includes the ReplicaSet controller that ensures the desired number of pods.

Why this answer

The kube-controller-manager runs the ReplicaSet controller, which detects the mismatch and creates a new pod.

63
MCQhard

A user reports that they cannot connect to a database service named 'db-service' from another pod in the same namespace. The service selector matches the database pod's labels. Which command would you run FIRST to troubleshoot the service's endpoints?

A.kubectl describe pod db-service
B.kubectl get endpoints db-service
C.kubectl exec -it <some-pod> -- curl db-service
D.kubectl logs db-service
AnswerB

Endpoints show the IP addresses of pods selected by the service. If empty, the selector is mismatched.

Why this answer

Option B is correct because `kubectl get endpoints db-service` directly shows whether the service has any endpoints (i.e., pod IPs) associated with it. If the endpoints list is empty, it indicates that the service's label selector is not matching any pods, which is the most common cause of connectivity failure. This is the fastest way to verify the fundamental prerequisite for service-to-pod traffic.

Exam trap

The trap here is that candidates often jump to connectivity tests (like curl) or pod logs, forgetting that the service must first have endpoints; Cisco tests whether you know to verify the selector-to-pod match at the endpoint level before assuming network issues.

How to eliminate wrong answers

Option A is wrong because `kubectl describe pod db-service` would fail since 'db-service' is a service name, not a pod name; even if you used the correct pod name, describing a pod does not reveal the service's endpoint status. Option C is wrong because `kubectl exec -it <some-pod> -- curl db-service` tests connectivity from within the cluster, but it assumes the service already has endpoints; running this first could waste time if the issue is that no endpoints exist. Option D is wrong because `kubectl logs db-service` is invalid (logs require a pod name, not a service name) and even if applied to a pod, logs would not show the service's endpoint state.

64
MCQmedium

You need to inspect the logs of a container named 'app' in a pod called 'web-1'. Which kubectl command should you use?

A.kubectl logs web-1 --container app
B.kubectl logs web-1 -c app
C.kubectl logs app web-1
D.kubectl logs -p web-1 app
AnswerB

This command correctly retrieves logs from the container 'app' in pod 'web-1'.

Why this answer

Option B is correct because the `kubectl logs` command requires the pod name first, and the `-c` flag (or `--container`) specifies the container name within that pod. Since the pod 'web-1' contains a container named 'app', `kubectl logs web-1 -c app` retrieves the logs from that specific container. This is the standard syntax for targeting a container in a multi-container pod.

Exam trap

CNCF often tests the argument order of `kubectl logs` and the specific use of `-c` vs. `--container`, trapping candidates who confuse the pod name with the container name or use incorrect flag syntax.

How to eliminate wrong answers

Option A is wrong because it uses the `--container` flag with an equals sign, which is syntactically incorrect; the correct flag is `-c` or `--container` followed by a space and the container name. Option C is wrong because it reverses the argument order, placing the container name before the pod name, which kubectl interprets as an attempt to fetch logs from a pod named 'app' with a container named 'web-1', leading to an error. Option D is wrong because the `-p` flag is used to get logs from a previous instance of a container (e.g., after a crash), not to specify the container name, and the argument order is incorrect.

65
MCQmedium

Refer to the exhibit. A pod is created with the above manifest. The container runs nginx listening on port 80, but the liveness probe is configured to check port 8080. What will happen?

A.The pod will fail to start because the probe port mismatches the container port.
B.The liveness probe will fail, but the pod will still be marked as Ready.
C.The liveness probe will fail, causing the container to be restarted.
D.The pod will run successfully because the probe is not required.
AnswerC

Correct; liveness probe failure leads to restart.

Why this answer

The liveness probe is configured to check port 8080, but the container only listens on port 80. Since the probe will never receive a successful HTTP response from port 8080, it will fail repeatedly. According to Kubernetes behavior, after the failure threshold is reached (default: 3 failures with a 10-second interval), kubelet will restart the container to attempt to recover it.

This is the intended mechanism for detecting and remediating deadlocked or unresponsive applications.

Exam trap

Cisco often tests the distinction between probe failure and pod startup failure—candidates mistakenly think a misconfigured probe prevents the pod from starting, but Kubernetes always starts the container first and then evaluates probes asynchronously.

How to eliminate wrong answers

Option A is wrong because a probe port mismatch does not prevent the pod from starting; the pod will start and the container will run, but the liveness probe will fail. Option B is wrong because the liveness probe failure does not affect the Ready condition directly—readiness is determined by the readiness probe, not the liveness probe—but the container will be restarted, so the pod will not remain in a stable Ready state. Option D is wrong because the liveness probe is explicitly defined in the manifest and is therefore required; Kubernetes will execute it regardless of whether the container port matches.

66
MCQhard

A pod is running a Java application that occasionally leaks memory. After a few hours, 'kubectl describe pod' shows the container exited with OOMKilled. You want to automatically restart the container but ensure the application has enough memory. What should you do?

A.Set restartPolicy: OnFailure in the pod spec
B.Use a DaemonSet instead of a Deployment
C.Increase the memory limit in the container's resources.limits and add a liveness probe that triggers on high memory usage
D.Set terminationGracePeriodSeconds to 0
AnswerC

Increasing memory limit prevents OOM, and a liveness probe can restart the pod before OOM.

Why this answer

The default restart policy is Always, so the container will restart. The solution is to increase the memory limit and consider using a liveness probe to detect and restart earlier.

67
MCQeasy

Which component is the primary entry point for all administrative tasks and API requests in a Kubernetes control plane?

A.kube-apiserver
B.etcd
C.kube-scheduler
D.kube-controller-manager
AnswerA

It is the API gateway for all administrative tasks.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane, exposing the REST API and handling all requests.

68
MCQhard

You create a Deployment with 'replicas: 3' and update the pod template to use a new image. After the rollout, you notice that the new ReplicaSet has 3 pods but they are all failing with 'CrashLoopBackOff'. You want to rollback to the previous working revision. Which command should you run?

A.kubectl set image deployment/my-deployment nginx=nginx:1.21
B.kubectl delete deployment/my-deployment --cascade=false
C.kubectl rollout undo deployment/my-deployment
D.kubectl rollout pause deployment/my-deployment
AnswerC

This command rolls back the Deployment to the previous revision.

Why this answer

'kubectl rollout undo deployment/my-deployment' rolls back to the previous revision.

69
MCQhard

You have a Deployment with image: myapp:v1. You update the image to myapp:v2 using 'kubectl set image deployment/myapp myapp=myapp:v2'. The rollout status shows 'Waiting for rollout to finish: 0 out of 3 new replicas have been updated...'. What is the most likely cause of this behavior?

A.The command syntax is incorrect; you should use 'kubectl set image deployment/myapp myapp:v2'
B.The new Pods are crashing due to a missing command
C.The Deployment's update strategy is set to 'Recreate'
D.The new image myapp:v2 does not exist or cannot be pulled from the registry
AnswerD

If the image cannot be pulled, the new Pods will remain in ImagePullBackOff, preventing them from being counted as updated.

Why this answer

Option D is correct. If the image pull fails (e.g., authentication error, no such image), the new Pod will be stuck in ImagePullBackOff and will not become ready. The Deployment will wait for the new Pods to be ready before proceeding.

Option A would generate an error on the command. Option B would cause an immediate error. Option C might cause an error if the container crashes, but the rollout would still update replicas; however, image pull failure is a common issue.

70
Multi-Selecthard

Which three of the following are valid methods to expose a Service to external traffic? (Select THREE)

Select 3 answers
A.Ingress
B.NodePort
C.LoadBalancer
D.ClusterIP
E.ExternalName
AnswersA, B, C

Ingress provides HTTP/HTTPS routing to Services.

Why this answer

NodePort, LoadBalancer, and Ingress are all valid methods to expose services externally. ClusterIP only exposes internally within the cluster.

71
MCQmedium

You have a Deployment named 'frontend' with 3 replicas. You want to perform a rolling update to a new container image. Which command should you use?

A.kubectl set image deployment/frontend container1=nginx:1.20
B.kubectl replace deployment frontend --image=nginx:1.20
C.kubectl edit deployment frontend --image=nginx:1.20
D.kubectl update deployment frontend --image=v2
AnswerA

This command updates the image for container1 in the frontend deployment.

Why this answer

The `kubectl set image` command is the correct way to perform a rolling update on a Deployment. It directly updates the container image in the pod template, triggering a rolling update where the ReplicaSet gradually replaces old pods with new ones, ensuring zero downtime. Option A specifies the exact container name and new image, which matches the required syntax for a targeted update.

Exam trap

The trap here is that candidates confuse imperative commands like `kubectl set image` with declarative commands like `kubectl replace` or non-existent commands like `kubectl update`, leading them to pick options that either require a full manifest or are syntactically invalid.

How to eliminate wrong answers

Option B is wrong because `kubectl replace` is used to replace a resource from a file or stdin, not to update an image directly; it would require a full YAML/JSON definition and does not trigger a rolling update by default. Option C is wrong because `kubectl edit` opens an editor for manual changes and does not accept an `--image` flag; it is interactive and not a single command for a rolling update. Option D is wrong because `kubectl update` is not a valid kubectl command; the correct imperative command for updating an image is `kubectl set image`.

72
MCQmedium

A Deployment named 'myapp' is managing a ReplicaSet. You need to update the application image to version 2.0. What is the recommended approach?

A.Scale down the Deployment to 0 replicas, then scale up with the new image
B.Update the Deployment's pod template image to version 2.0
C.Delete the existing ReplicaSet and create a new one with the updated image
D.Directly update the pods in the ReplicaSet by using 'kubectl edit pod'
AnswerB

Updating the Deployment triggers a rolling update, ensuring zero-downtime and rollback capability.

Why this answer

Option B is correct because the recommended approach to update a Deployment's application image is to modify the pod template in the Deployment specification. The Deployment controller then automatically performs a rolling update, creating a new ReplicaSet with the updated image and gradually scaling down the old ReplicaSet, ensuring zero-downtime updates and maintaining desired replica count.

Exam trap

CNCF often tests the misconception that you must directly manipulate ReplicaSets or pods to update an application, when in fact the Deployment abstraction is designed to handle all updates through its pod template, and any direct changes to underlying resources are either reverted or break the declarative model.

How to eliminate wrong answers

Option A is wrong because scaling down to 0 replicas and then scaling up with a new image causes an unnecessary service disruption and does not leverage the Deployment's built-in rolling update mechanism, which is designed for seamless updates. Option C is wrong because manually deleting the existing ReplicaSet and creating a new one bypasses the Deployment controller's management, losing revision history and the ability to roll back; the Deployment should manage ReplicaSets automatically. Option D is wrong because directly editing pods in a ReplicaSet is ineffective, as the ReplicaSet controller will immediately revert any changes to match its pod template, and this approach does not update the Deployment's desired state.

73
MCQmedium

Which component of the Kubernetes control plane is responsible for storing the cluster state?

A.kube-scheduler
B.etcd
C.kube-apiserver
D.kube-controller-manager
AnswerB

etcd is the key-value store that persists the entire cluster configuration and state.

Why this answer

etcd is a distributed key-value store that holds all cluster data, including configuration, state, and metadata.

74
Multi-Selectmedium

Which TWO statements about Kubernetes Pods are correct?

Select 2 answers
A.Containers within a Pod cannot communicate with each other without using Services.
B.A Pod is the smallest deployable unit in Kubernetes.
C.A Pod always runs on a single node.
D.A Pod can contain multiple containers that share the same network namespace.
E.Pods are the most resilient unit in Kubernetes and automatically recover from failures.
AnswersB, D

Pods are the atomic unit of scheduling and deployment.

Why this answer

Option B is correct because a Pod is the smallest and most basic deployable unit in Kubernetes, representing a single instance of a running process in the cluster. Pods encapsulate one or more containers, storage resources, and a unique network IP, and they are the atomic unit for scheduling, scaling, and lifecycle management.

Exam trap

The trap here is that candidates often confuse Pods with virtual machines or assume containers within a Pod need Services to communicate, when in fact they share a network namespace and can use localhost directly.

75
MCQhard

A production issue arises: a Deployment with 10 replicas is updated, but the new Pods are failing health checks and being terminated. The old Pods are also being terminated. What is the most likely cause?

A.The Deployment's 'paused' field is set to true
B.The Deployment's 'revisionHistoryLimit' is set to 1
C.maxSurge and maxUnavailable are set to values that allow termination of old Pods before new ones are ready
D.The RollingUpdate strategy has maxSurge=0 and maxUnavailable=0
AnswerC

For example, maxSurge=1 and maxUnavailable=1 allows the rollout to continue even if new Pods are unhealthy, potentially terminating old ones.

Why this answer

If minReadySeconds or maxSurge/maxUnavailable are set incorrectly, the rollout can progress despite failures. The most common cause is that the Deployment's 'progressDeadlineSeconds' may be exceeded, but the question implies both old and new are being terminated. The correct answer is that maxSurge and maxUnavailable are misconfigured, causing the rollout to continue even when new Pods are unhealthy.

Page 1 of 6 · 436 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Kcna Kubernetes Fundamentals questions.