CCNA Kcna Kubernetes Fundamentals Questions

75 of 436 questions · Page 2/6 · Kcna Kubernetes Fundamentals topic · Answers revealed

76
MCQmedium

Which field in a Pod's container specification defines the minimum amount of CPU guaranteed to the container?

A.spec.containers.cpu
B.resources.requests.cpu
C.resources.limits.cpu
D.spec.nodeSelector
AnswerB

Requests specify the minimum amount of CPU reserved for the container.

Why this answer

Option B is correct because in Kubernetes, the `resources.requests.cpu` field specifies the minimum amount of CPU guaranteed to a container. This value is used by the scheduler to ensure the node has enough allocatable CPU, and by the kubelet to enforce CPU shares via the Completely Fair Scheduler (CFS) in the Linux kernel.

Exam trap

The trap here is that candidates often confuse `requests` (guaranteed minimum) with `limits` (maximum allowed), especially since both are defined under `resources` and both use the same unit (e.g., millicores).

How to eliminate wrong answers

Option A is wrong because `spec.containers.cpu` is not a valid field; CPU requests are nested under `resources.requests.cpu`. Option C is wrong because `resources.limits.cpu` defines the maximum CPU a container can burst to, not the guaranteed minimum. Option D is wrong because `spec.nodeSelector` is a scheduling constraint that selects nodes based on labels, not a container resource specification.

77
Multi-Selecthard

Which THREE of the following are valid ways to expose a set of pods as a network service in Kubernetes?

Select 3 answers
A.Creating a Service of type NodePort.
B.Creating a headless Service (clusterIP: None).
C.Creating an Ingress resource.
D.Creating a Deployment with a label selector.
E.Creating a Service of type ClusterIP.
AnswersA, C, E

Correct; NodePort exposes on a static port on each node.

Why this answer

A Service of type NodeType exposes the pods on a static port on each node's IP address, making the service accessible externally. This is a valid method for exposing a set of pods as a network service in Kubernetes.

Exam trap

Cisco often tests the distinction between workload resources (like Deployments) and networking resources (like Services and Ingresses), leading candidates to mistakenly think a Deployment alone can expose pods as a network service.

78
MCQmedium

Which kubectl command is used to create or update resources defined in a YAML file?

A.kubectl update -f file.yaml
B.kubectl create -f file.yaml
C.kubectl apply -f file.yaml
D.kubectl set -f file.yaml
AnswerC

This creates or updates resources based on the current state defined in the file.

Why this answer

Option C is correct because `kubectl apply -f file.yaml` uses a declarative approach to create or update Kubernetes resources. It sends the YAML configuration to the API server, which compares the desired state with the current state and applies the necessary changes, storing the last-applied configuration in an annotation for future updates.

Exam trap

The trap here is that candidates confuse `kubectl create` (imperative, fails on existing resources) with `kubectl apply` (declarative, handles both create and update), or assume a non-existent `kubectl update` command exists based on other tools like `apt update`.

How to eliminate wrong answers

Option A is wrong because `kubectl update` is not a valid kubectl command; Kubernetes uses `kubectl edit`, `kubectl patch`, or `kubectl apply` to modify resources, not `update`. Option B is wrong because `kubectl create -f file.yaml` only creates new resources and will fail if the resource already exists, whereas the question asks for creating OR updating. Option D is wrong because `kubectl set -f file.yaml` is not a valid command; `kubectl set` is used to modify specific fields of live resources (e.g., `kubectl set image`), not to apply a full YAML file.

79
Multi-Selecteasy

Which TWO components are part of the Kubernetes control plane?

Select 2 answers
A.container runtime
B.kubelet
C.kube-apiserver
D.etcd
E.kube-proxy
AnswersC, D

kube-apiserver is the front-end for the Kubernetes control plane.

Why this answer

The Kubernetes control plane manages the cluster's state and scheduling decisions. The kube-apiserver (C) is the front-end for the control plane, exposing the Kubernetes API, while etcd (D) is the distributed key-value store that holds all cluster data, including configuration and state. Both are essential control plane components.

Exam trap

CNCF often tests the misconception that kubelet or kube-proxy are control plane components because they are essential for node operation, but they actually run on worker nodes and are considered node-level services.

80
Multi-Selectmedium

Which two of the following are valid ways to expose a set of Pods to external traffic?

Select 2 answers
A.Create a Service of type NodePort
B.Use a ConfigMap to expose the Pods
C.Create an Ingress resource without a Service
D.Create a Service of type LoadBalancer
E.Create a Service of type ClusterIP
AnswersA, D

NodePort exposes the Service on each node's IP at a static port.

Why this answer

NodePort and LoadBalancer are two Service types that expose applications externally.

81
MCQmedium

A user wants to run a one-time batch job that runs to completion. Which Kubernetes resource should they use?

A.Job
B.StatefulSet
C.DaemonSet
D.Deployment
AnswerA

Jobs manage pods that run to completion.

Why this answer

A Job is designed to run a specified number of pods to successful completion, ideal for batch processing.

82
Multi-Selectmedium

Which TWO components are part of the Kubernetes control plane? (Select exactly two.)

Select 2 answers
A.kube-proxy
B.kubelet
C.container runtime
D.kube-apiserver
E.kube-scheduler
AnswersD, E

API server is a control plane component.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane, exposing the Kubernetes API for all cluster operations. The kube-scheduler is responsible for assigning newly created pods to nodes based on resource availability and policy constraints. Both are essential control plane components that manage cluster state and scheduling decisions.

Exam trap

CNCF often tests the distinction between control plane and worker node components, and the trap here is that candidates confuse kube-proxy or kubelet (which run on every node) with control plane components because they are essential for cluster operation, but they are not part of the control plane itself.

83
MCQhard

A Kubernetes cluster has multiple worker nodes. You create a Pod without any node selector. The scheduler places the pod on a node, but the pod remains in 'Pending' state. 'kubectl describe pod' shows '0/1 nodes are available: 1 node had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What does this indicate?

A.The node has a taint that the pod does not tolerate
B.The pod has a resource request that exceeds the node's capacity
C.The node is cordoned and should be uncordoned
D.The node is out of disk space
AnswerA

The error explicitly states the node had a taint that the pod didn't tolerate.

Why this answer

The node is tainted, and the pod lacks the corresponding toleration. The scheduler cannot schedule the pod on that node.

84
MCQhard

A user reports that their application's DNS resolution is failing for a Service named 'my-service' in the same namespace. They are able to reach the Service by its cluster IP. Which of the following is the most likely cause?

A.The application container is using an incorrect DNS policy
B.The kube-proxy is misconfigured on the node
C.The CoreDNS pod is not running or misconfigured
D.The Service is of type ExternalName
AnswerC

CoreDNS is responsible for DNS resolution for Services. If CoreDNS is down or misconfigured, DNS queries for Services will fail.

Why this answer

Option C is correct because DNS resolution for a Service in the same namespace relies on CoreDNS, which is the cluster DNS provider in Kubernetes. If CoreDNS is not running or misconfigured, DNS queries for the Service name (e.g., 'my-service') will fail, even though the Service is reachable via its cluster IP. The user's ability to reach the Service by IP confirms that kube-proxy and networking are functional, isolating the issue to DNS resolution.

Exam trap

CNCF often tests the distinction between DNS resolution and Service reachability, trapping candidates who assume that a DNS failure must be caused by the application's DNS policy rather than the cluster DNS service itself.

How to eliminate wrong answers

Option A is wrong because an incorrect DNS policy (e.g., ClusterFirstWithHostNet or None) would affect how the container resolves names, but it would not cause a complete failure for a Service in the same namespace if CoreDNS is healthy; the user can still reach the Service by IP, indicating the DNS policy is not the primary issue. Option B is wrong because kube-proxy is responsible for implementing Service IP-to-Pod routing via iptables or IPVS; since the user can reach the Service by its cluster IP, kube-proxy is functioning correctly. Option D is wrong because a Service of type ExternalName returns a CNAME record, not a cluster IP; the user can reach the Service by its cluster IP, so the Service cannot be of type ExternalName.

85
MCQmedium

A Service of type ClusterIP is created. What is the default behavior of this Service?

A.It exposes the Service externally via a cloud load balancer
B.It exposes the Service on a static port on each node
C.It routes traffic to Pods based on external DNS names
D.It exposes the Service on a cluster-internal IP
AnswerD

ClusterIP is the default and provides internal connectivity only.

Why this answer

Option D is correct because a ClusterIP Service is the default Kubernetes Service type, which assigns a virtual IP address reachable only within the cluster. Traffic sent to this IP is load-balanced across the Pods selected by the Service's label selector, using iptables or IPVS rules. No external access is provided unless an Ingress or other mechanism is explicitly configured.

Exam trap

The trap here is that candidates often confuse the default Service type (ClusterIP) with NodePort or LoadBalancer, assuming a Service must be externally accessible by default, but Kubernetes intentionally isolates ClusterIP Services to internal cluster traffic only.

How to eliminate wrong answers

Option A is wrong because exposing a Service externally via a cloud load balancer is the behavior of a Service of type LoadBalancer, not ClusterIP. Option B is wrong because exposing the Service on a static port on each node is the behavior of a Service of type NodePort, which opens a high-port on every node's IP. Option C is wrong because routing traffic based on external DNS names is not a native Service behavior; DNS-based routing is typically handled by an Ingress controller or external DNS integration, not by a ClusterIP Service.

86
MCQmedium

Which field in a Deployment YAML specifies the number of pod replicas?

A.spec.replicas
B.spec.template.spec.replicas
C.spec.replicaCount
D.spec.selector.matchLabels
AnswerA

This is the correct field.

Why this answer

The 'replicas' field under 'spec' determines how many pod instances should be running.

87
MCQmedium

You need to update a Deployment's container image from nginx:1.14 to nginx:1.16 and ensure zero downtime. Which kubectl command should you use?

A.kubectl set image deployment/my-deployment nginx=nginx:1.16
B.kubectl patch deployment my-deployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"nginx","image":"nginx:1.16"}]}}}}'
C.kubectl edit deployment my-deployment --image=nginx:1.16
D.kubectl update deployment my-deployment --image=nginx:1.16
AnswerA

This command updates the container image and triggers a rolling update.

Why this answer

The 'set image' command updates the container image for a Deployment, triggering a rolling update by default.

88
MCQhard

You have a Deployment with 3 replicas. You need to perform a rolling update with 2 extra pods during the update and ensure that only 1 pod is unavailable at any time. Which update strategy configuration achieves this?

A.maxSurge: 1, maxUnavailable: 2
B.maxSurge: 0, maxUnavailable: 2
C.maxSurge: 3, maxUnavailable: 0
D.maxSurge: 2, maxUnavailable: 1
AnswerD

Why this answer

The maxSurge field controls how many extra pods can be created above the desired count during an update. maxUnavailable controls how many pods can be unavailable. To have 2 extra pods (maxSurge=2) and only 1 unavailable (maxUnavailable=1), the correct configuration is maxSurge=2, maxUnavailable=1.

89
Multi-Selecteasy

Which two of the following are benefits of using Kubernetes for container orchestration? (Select TWO.)

Select 2 answers
A.Integrated continuous integration pipeline
B.Automatic code compilation
C.Self-healing: automatically restarts failed containers
D.Built-in database management
E.Automated rollouts and rollbacks
AnswersC, E

Kubernetes replaces containers that fail.

Why this answer

Kubernetes provides self-healing and automated scaling.

90
MCQhard

A developer wants to inject environment variables into a pod from a ConfigMap named 'app-config'. Which YAML snippet correctly mounts all key-value pairs from the ConfigMap as environment variables?

A.env: - name: CONFIG value: "$(CONFIGMAP)"
B.envFrom: - configMapRef: name: app-config
C.volumes: - name: config configMap: name: app-config volumeMounts: - name: config mountPath: /etc/config
D.env: - name: CONFIG valueFrom: configMapKeyRef: name: app-config key: config.yaml
AnswerB

This mounts all keys from the ConfigMap as environment variables.

Why this answer

Option B is correct because `envFrom` with a `configMapRef` injects all key-value pairs from the ConfigMap named 'app-config' as environment variables into the container. This is the standard Kubernetes method for bulk injection of ConfigMap data into environment variables, as opposed to selecting individual keys.

Exam trap

The trap here is that candidates often confuse `envFrom` (bulk injection) with `env` + `configMapKeyRef` (single key injection) or volume mounts (file-based injection), leading them to pick options that inject only one key or mount files instead of environment variables.

How to eliminate wrong answers

Option A is wrong because `env` with `value: "$(CONFIGMAP)"` is not valid syntax; Kubernetes does not support referencing a ConfigMap via a variable expansion like `$(CONFIGMAP)` — it requires explicit `valueFrom` or `envFrom`. Option C is wrong because it mounts the ConfigMap as a volume at `/etc/config`, which injects keys as files, not as environment variables — this does not satisfy the requirement to inject them as environment variables. Option D is wrong because it uses `env` with `configMapKeyRef` to inject only a single key (`config.yaml`) from the ConfigMap, not all key-value pairs.

91
MCQeasy

A developer wants to run a one-time batch job that processes a queue and then terminates. Which Kubernetes resource should they use?

A.Job
B.StatefulSet
C.Deployment
D.DaemonSet
AnswerA

Jobs run pods until successful completion.

Why this answer

A Kubernetes Job is designed for finite, batch-oriented tasks that run to completion, such as processing a queue and then terminating. Unlike controllers that maintain a desired state (like Deployments or StatefulSets), a Job creates one or more Pods and ensures they successfully exit, making it the correct choice for a one-time batch job.

Exam trap

The trap here is that candidates confuse a Job with a Deployment, assuming that any workload that 'runs' must be a Deployment, but Deployments are designed for long-running services and will restart terminated Pods, whereas a Job is the correct resource for workloads that should run to completion and then stop.

How to eliminate wrong answers

Option B (StatefulSet) is wrong because it is used for stateful applications that require stable, unique network identities and persistent storage, not for one-time batch jobs. Option C (Deployment) is wrong because it manages a set of Pods intended to run continuously (e.g., web servers) and will restart Pods if they exit, which is the opposite of a terminating batch job. Option D (DaemonSet) is wrong because it ensures that a copy of a Pod runs on every node (or a subset of nodes) in the cluster, typically for long-running system services like log collectors or monitoring agents, not for one-time tasks.

92
Multi-Selectmedium

Which TWO resources can be used to store configuration data separately from container images?

Select 2 answers
A.Service
B.PersistentVolume
C.Secret
D.Deployment
E.ConfigMap
AnswersC, E

Secrets store sensitive data like passwords or tokens.

Why this answer

ConfigMaps and Secrets are Kubernetes API objects designed specifically to decouple configuration data and sensitive information from container images. ConfigMaps store non-sensitive key-value pairs (e.g., environment variables, command-line arguments, or configuration files), while Secrets store sensitive data (e.g., passwords, tokens, or SSH keys) in base64-encoded or encrypted form. Both can be mounted into pods as volumes or injected as environment variables, allowing image reuse across different environments without rebuilding.

Exam trap

CNCF often tests the distinction between storage for configuration data (ConfigMaps/Secrets) vs. storage for application data (PersistentVolumes), so candidates mistakenly select PersistentVolume thinking it can store config files, but it is intended for stateful workloads like databases, not for decoupling configuration from images.

93
MCQmedium

Which Kubernetes command displays the current state of a pod, including its IP address, node, and container statuses?

A.kubectl get pod -o wide
B.kubectl describe pod
C.kubectl logs pod
D.kubectl get pod
AnswerA

The -o wide flag adds details such as node and IP.

Why this answer

Option A is correct because `kubectl get pod -o wide` extends the default output to include additional columns such as the pod's IP address, the node it is scheduled on, and the container statuses (e.g., READY state). This command queries the Kubernetes API server for the pod's current state and formats the response with extra details, making it the most direct way to view the pod's IP and node assignment in a single line.

Exam trap

The trap here is that candidates often assume `kubectl get pod` alone shows all relevant pod details, but Cisco tests the specific requirement for the `-o wide` flag to expose the pod IP and node fields, which are hidden in the default output.

How to eliminate wrong answers

Option B is wrong because `kubectl describe pod` provides a detailed, multi-line description of a pod, including its IP address, node, and container statuses, but it is not a single-line display of the current state; it is a verbose output meant for troubleshooting, not a concise summary. Option C is wrong because `kubectl logs pod` retrieves the container logs from the pod's stdout/stderr, not the pod's state, IP address, or node information; it is used for debugging application output, not for inspecting pod metadata. Option D is wrong because `kubectl get pod` (without `-o wide`) displays only the basic columns (NAME, READY, STATUS, RESTARTS, AGE) and omits the pod IP and node fields, which are only added with the `-o wide` output format.

94
MCQhard

Refer to the exhibit. A pod 'my-pod' shows repeated 'BackOff' events after the container starts. Which is the most likely cause?

A.The image 'myapp:v2' does not exist.
B.The container exceeds its memory limit.
C.The liveness probe is failing.
D.The application crashes shortly after starting.
AnswerD

Correct; the container starts but then crashes, leading to restart backoff.

Why this answer

The 'BackOff' event in Kubernetes indicates that the container has started but repeatedly crashes, causing the kubelet to increase the restart delay. Option D is correct because an application that crashes shortly after starting will trigger this restart loop, as the container exits with a non-zero exit code, leading to exponential backoff.

Exam trap

Cisco often tests the distinction between 'ImagePullBackOff' (image not found) and 'CrashLoopBackOff' (container crashes after start), so candidates must recognize that 'BackOff' events after the container starts point to a runtime crash, not a pull failure.

How to eliminate wrong answers

Option A is wrong because if the image 'myapp:v2' does not exist, the pod would show 'ErrImagePull' or 'ImagePullBackOff' events, not 'BackOff' after the container starts. Option B is wrong because exceeding the memory limit causes an 'OOMKilled' status and a container restart, but the event would typically be 'OOMKilled' or 'CrashLoopBackOff', not specifically 'BackOff' after a successful start. Option C is wrong because a failing liveness probe results in the container being killed and restarted, but the event would be 'Unhealthy' or 'Liveness probe failed', and the pod would show 'CrashLoopBackOff' rather than 'BackOff' immediately after start.

95
MCQmedium

Which of the following is a correct YAML structure for a Service of type ClusterIP?

A.apiVersion: v1 kind: Service metadata: name: my-service spec: selector: app: myapp ports: - port: 80
B.apiVersion: v1 kind: Pod metadata: name: my-service spec: selector: app: myapp ports: - port: 80
C.apiVersion: apps/v1 kind: Service metadata: name: my-service spec: selector: app: myapp ports: - port: 80
D.apiVersion: v1 kind: Service metadata: name: my-service spec: app: myapp ports: - port: 80
AnswerA

This is a valid Service manifest.

Why this answer

A valid Service YAML includes apiVersion: v1, kind: Service, metadata, and spec with selector and ports.

96
MCQmedium

A developer wants to deploy a stateless web application that should maintain three running instances at all times. Which Kubernetes resource should they use?

A.Job
B.Deployment
C.StatefulSet
D.DaemonSet
AnswerB

Deployment manages ReplicaSets to maintain a desired number of replicas and supports rolling updates.

Why this answer

A Deployment manages a ReplicaSet to ensure the desired number of pod replicas are running, supports rolling updates, and is ideal for stateless applications.

97
MCQhard

You create a Pod with a liveness probe that uses an HTTP GET on port 8080, path /healthz. The probe fails after the container starts. What will happen to the Pod?

A.The Pod will be marked as Unhealthy and removed from Service endpoints
B.The container will be restarted automatically
C.The Pod will be evicted from the node
D.The Pod will be deleted and recreated on a different node
AnswerB

Liveness probe failure triggers container restart.

Why this answer

A liveness probe indicates whether the container is running. If it fails, kubelet restarts the container according to the pod's restartPolicy.

98
MCQmedium

You have a Deployment that manages 3 replicas of a web application. You want to perform a rolling update with zero downtime. Which kubectl command should you use?

A.kubectl set image deployment/myapp mycontainer=myimage:v2
B.kubectl delete pod myapp-xyz --grace-period=0
C.kubectl patch deployment myapp -p '{"spec":{"replicas":5}}'
D.kubectl rollout undo deployment/myapp
AnswerA

This updates the container image and triggers a rolling update.

Why this answer

The 'kubectl set image deployment/myapp mycontainer=myimage:v2' command updates the container image and triggers a rolling update defined by the deployment's strategy.

99
MCQmedium

A Deployment is created with `replicas: 3`. After applying the manifest, only 2 pods are running and one is in Pending state. What is the most likely reason?

A.The Service selector does not match
B.The Deployment name is misspelled
C.There are insufficient resources on the nodes
D.The container image is invalid
AnswerC

Pending often indicates insufficient CPU or memory to schedule the pod.

Why this answer

When a Pod remains in Pending state, it means the scheduler cannot find a node that satisfies the Pod's resource requirements (CPU, memory, or other constraints). Since two Pods are running successfully, the Deployment configuration (image, name, selector) is valid, and the issue is that the cluster lacks sufficient capacity to schedule the third replica. The scheduler continuously evaluates node resources and will leave the Pod pending until resources become available or the request is adjusted.

Exam trap

CNCF often tests the distinction between Pod lifecycle phases (Pending vs. CrashLoopBackOff vs. ImagePullBackOff) to see if candidates confuse scheduling failures with runtime or image errors.

How to eliminate wrong answers

Option A is wrong because a Service selector mismatch would not cause a Pod to be in Pending state; it would affect traffic routing but not Pod scheduling or creation. Option B is wrong because a misspelled Deployment name would cause the manifest to fail at creation time or create a separate resource, not result in a partially running Deployment with two Pods. Option D is wrong because an invalid container image would cause the Pod to enter ImagePullBackOff or ErrImagePull state, not Pending; Pending occurs before the container runtime attempts to pull the image.

100
MCQeasy

Which component on a worker node is responsible for enforcing the desired state of pods as defined in the pod specification?

A.kube-scheduler
B.kube-proxy
C.container runtime
D.kubelet
AnswerD

Why this answer

The kubelet is the primary node agent that runs on each node. It ensures that containers are running in a pod as described in the pod spec.

101
MCQhard

A pod is stuck in 'Pending' state. Which of the following is NOT a common cause for a pod to remain Pending?

A.Insufficient CPU or memory resources available in the cluster
B.The node selector in the pod spec does not match any node labels
C.The container runtime is not functioning on the node
D.The pod's PVC is not yet bound to a PV
AnswerB

If node selector labels don't match any node, the pod cannot be scheduled and stays Pending.

Why this answer

Option C is correct. A container runtime error typically causes the pod to stay in 'ContainerCreating' or crash, not 'Pending'. Pending usually indicates scheduling issues (insufficient resources, node selector/label mismatch) or storage issues (PVC not bound).

102
MCQhard

Which of the following is a correct way to assign a pod to a specific node using a nodeSelector?

A.spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: ...
B.spec: nodeName: "node1"
C.spec: nodeSelector: [disktype: ssd]
D.spec: nodeSelector: disktype: ssd
AnswerD

This is the correct syntax for nodeSelector.

Why this answer

A nodeSelector is a simple pod spec field that matches node labels. The correct format is a map of key-value pairs under 'spec.nodeSelector'.

103
Multi-Selecthard

Which THREE are valid ways to provide configuration data to a pod in Kubernetes?

Select 3 answers
A.Use an init container to write configuration to a shared volume
B.Mount a ConfigMap as a volume
C.Mount a Secret as a volume
D.Hardcode environment variables in the pod spec that contain sensitive data
E.Use environment variables from a ConfigMap
AnswersB, C, E

ConfigMaps can be mounted as files in a pod.

Why this answer

Option B is correct because a ConfigMap is a Kubernetes API object designed to store non-confidential configuration data in key-value pairs. Mounting a ConfigMap as a volume makes its data available as files in the pod's filesystem, allowing applications to read configuration without hardcoding it into the container image or pod spec. This approach decouples configuration from containerized applications, following the principle of immutable infrastructure.

Exam trap

Cisco often tests the misconception that any method of injecting data into a pod is a 'valid' configuration approach, but the KCNA exam expects you to recognize that only native Kubernetes API objects (ConfigMaps and Secrets) are the recommended and valid ways to provide configuration data, rejecting ad-hoc methods like init container scripts or hardcoded values.

104
MCQeasy

Which Kubernetes primitive is the smallest and simplest unit in the Kubernetes object model that you can create or deploy?

A.ReplicaSet
B.Pod
C.Deployment
D.Container
AnswerB

A Pod is the smallest and simplest Kubernetes object. It represents a single instance of a running process and can contain one or more containers.

Why this answer

A Pod is the smallest deployable unit in Kubernetes, representing a single instance of a running process in the cluster.

105
MCQeasy

Which control plane component is responsible for assigning pods to nodes?

A.etcd
B.kube-apiserver
C.kube-scheduler
D.kube-controller-manager
AnswerC

The kube-scheduler watches for newly created pods and assigns them to nodes.

Why this answer

The kube-scheduler assigns pods to nodes based on resource requirements, policies, and constraints.

106
Multi-Selectmedium

Which TWO of the following are valid use cases for Kubernetes Namespaces? (Select 2)

Select 2 answers
A.To enforce resource quotas and limits on the resources within the namespace
B.To create separate environments like development, staging, and production in the same cluster
C.To isolate cluster-wide resources such as Nodes and PersistentVolumes
D.To improve performance by reducing network latency between Pods
E.To separate resources for different teams or projects within a single cluster
AnswersB, E

Namespaces allow you to create logically separated environments within the same physical cluster.

Why this answer

Options A and D are correct. Namespaces provide logical isolation for resources and can be used to separate environments (dev, prod) or teams. Option B is incorrect because cluster-wide resources like Nodes are not namespaced.

Option C is incorrect because namespaces do not enforce resource quotas; ResourceQuota objects do. Option E is incorrect because namespaces do not improve performance; they add overhead.

107
Multi-Selectmedium

Which THREE fields are required in a Kubernetes manifest YAML file?

Select 3 answers
A.kind
B.metadata
C.status
D.spec
E.apiVersion
AnswersA, B, E

Defines the type of Kubernetes resource.

Why this answer

The 'kind' field is required because it tells Kubernetes which type of object to create (e.g., Pod, Deployment, Service). Without it, the API server cannot route the manifest to the correct resource handler. It must be a valid Kubernetes resource kind from the core API or a custom resource definition.

Exam trap

CNCF often tests the misconception that 'spec' is always required, but the KCNA exam expects you to know that status is never user-supplied and that spec is optional for certain built-in resources like Namespace or LimitRange.

108
MCQmedium

You have two pods in different namespaces that need to communicate using a stable IP address. Which Kubernetes object provides a stable endpoint for a set of pods?

A.ConfigMap
B.Ingress
C.Service
D.Deployment
AnswerC

Services provide stable networking endpoints for pods.

Why this answer

A Service provides a stable IP address and DNS name that routes traffic to a set of pods, regardless of pod IP changes.

109
MCQhard

A Deployment is rolling out a new version. The rollout has stalled, and 'kubectl rollout status deployment/myapp' shows 'Waiting for deployment rollout to finish: 2 out of 5 new replicas have been updated...'. The Deployment's spec.strategy.rollingUpdate.maxUnavailable is set to 25% and maxSurge is 25%. What is the maximum number of Pods that could be unavailable during this rollout?

A.1
B.3
C.2
D.0
AnswerC

maxUnavailable=25% of 5 = 1.25, so up to 2 Pods can be unavailable.

Why this answer

Option C is correct because with maxUnavailable=25% and maxSurge=25%, the maximum number of unavailable Pods during a rolling update is calculated as the ceiling of 25% of the desired replicas (5), which is 2. This means up to 2 Pods can be unavailable at any time, ensuring the rollout can proceed while maintaining availability.

Exam trap

The trap here is that candidates often forget that maxUnavailable is calculated as a percentage of the desired replicas and rounded up, leading them to incorrectly calculate 25% of 5 as 1.25 and round down to 1, or they misinterpret the rollout status as showing only 2 Pods are updated, assuming that is the maximum unavailable, when in fact the maximum is determined by the strategy, not the current state.

How to eliminate wrong answers

Option A is wrong because 1 is less than the calculated maximum of 2 (ceiling of 25% of 5), and the rollout status shows 2 new replicas are updated, indicating at least 2 Pods are unavailable. Option B is wrong because 3 exceeds the maximum allowed by the rolling update strategy; maxUnavailable=25% limits unavailable Pods to 2, and having 3 unavailable would violate the Deployment's availability guarantee. Option D is wrong because 0 is not possible during a rollout; the rollout status explicitly shows 2 out of 5 new replicas are updated, meaning at least 2 old Pods are being terminated and are unavailable.

110
MCQmedium

You have a Pod that is in 'Pending' state. What is the most likely cause?

A.The node is out of CPU or memory resources.
B.The application inside the container crashed.
C.The container image is missing.
D.The Service does not have any endpoints.
AnswerA

If no node has sufficient resources to satisfy the Pod's requests, the scheduler cannot place it, leaving it Pending.

Why this answer

A Pod in 'Pending' state indicates that the scheduler has not yet assigned it to a node. The most common reason is insufficient resources (CPU or memory) on any available node, causing the scheduler to fail to find a suitable node that meets the Pod's resource requests. This is a core scheduling failure in Kubernetes.

Exam trap

CNCF often tests the distinction between Pod lifecycle states, and the trap here is confusing 'Pending' (pre-scheduling) with post-scheduling failures like image pull errors or container crashes, which have distinct states (e.g., ImagePullBackOff, CrashLoopBackOff).

How to eliminate wrong answers

Option B is wrong because a container crash (e.g., application exit code non-zero) results in a 'CrashLoopBackOff' or 'Error' state, not 'Pending'. Option C is wrong because a missing container image causes the Pod to enter 'ImagePullBackOff' or 'ErrImagePull' state after scheduling, not 'Pending'. Option D is wrong because a Service lacking endpoints does not affect Pod scheduling; it is a networking issue that affects service discovery, not the Pod's lifecycle state.

111
MCQmedium

A service of type ClusterIP is created but pods cannot reach it using the service name. The pods are in the same namespace. What is a likely cause?

A.The service is not exposed externally
B.CoreDNS is not running or misconfigured
C.The service port does not match the container port
D.The selector does not match any pod labels
AnswerB

DNS resolution for service names relies on CoreDNS; if it's down, names won't resolve.

Why this answer

ClusterIP services are reachable via DNS if CoreDNS is running. If the service name is not resolvable, CoreDNS might be misconfigured or not running.

112
Multi-Selectmedium

Which THREE of the following are valid ways to expose environment variables from a ConfigMap to a pod?

Select 3 answers
A.volumes and volumeMounts
B.env.value
C.env.valueFrom.secretKeyRef
D.env.valueFrom.configMapKeyRef
E.envFrom
AnswersA, D, E

ConfigMaps can be mounted as volumes, and files appear as environment-like files.

Why this answer

Option A is correct because ConfigMaps can be exposed as files in a pod's filesystem using a volume mount. When you define a ConfigMap as a volume in the pod spec and mount it via volumeMounts, each key in the ConfigMap becomes a file in the specified mount path, with the key's value as the file content. This is a standard method for injecting configuration data into containers without modifying the container image.

Exam trap

CNCF often tests the distinction between `configMapKeyRef` and `secretKeyRef`, expecting candidates to know that `secretKeyRef` is for Secrets only, not ConfigMaps, and that `env.value` is for static values, not dynamic references.

113
MCQmedium

You need to provide an application with configuration data that does not change often and should not be baked into the container image. Which Kubernetes resource should you use?

A.Secret
B.PersistentVolumeClaim
C.ConfigMap
D.ServiceAccount
AnswerC

Why this answer

ConfigMap is the correct Kubernetes resource for providing configuration data that does not change often and should not be baked into the container image. It decouples configuration artifacts from image content, allowing you to update configuration without rebuilding images, and supports injection via environment variables, command-line arguments, or volume mounts.

Exam trap

The trap here is that candidates confuse ConfigMap with Secret, assuming all configuration must be secret, or they mistakenly think PersistentVolumeClaim can store configuration files, when in fact ConfigMap is the correct resource for non-sensitive, frequently updated configuration data.

How to eliminate wrong answers

Option A is wrong because Secrets are specifically designed for sensitive data (e.g., passwords, tokens, SSH keys) and are base64-encoded, not for general configuration data that does not change often. Option B is wrong because PersistentVolumeClaim is used to request persistent storage volumes for stateful workloads, not for injecting configuration data into containers. Option D is wrong because ServiceAccount provides an identity for Pods to authenticate with the Kubernetes API server, not for storing or delivering configuration data.

114
Multi-Selectmedium

Which TWO of the following are valid ways to expose a set of pods as a network service within a Kubernetes cluster?

Select 2 answers
A.Create a StatefulSet with pod hostnames.
B.Create a Service of type ExternalName.
C.Create a ConfigMap with pod IPs.
D.Create a Service of type ClusterIP.
E.Create an Ingress resource that routes to a Service.
AnswersD, E

ClusterIP exposes pods internally.

Why this answer

A Service of type ClusterIP exposes a set of pods as a network service within the cluster by assigning a stable virtual IP address and DNS name. Traffic to this IP is load-balanced across the pods matching the Service's label selector, enabling internal cluster communication without external exposure.

Exam trap

Cisco often tests the distinction between a resource that manages pods (like StatefulSet) and a resource that provides network access to those pods (like Service), leading candidates to confuse pod management with service exposure.

115
MCQeasy

Which component is the primary entry point for all administrative tasks and API requests in a Kubernetes cluster?

A.kube-controller-manager
B.kube-apiserver
C.etcd
D.kube-scheduler
AnswerB

The API server is the entry point for all REST API calls.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane and exposes the Kubernetes API.

116
MCQhard

You have a ConfigMap named 'app-config' and a Secret named 'db-password'. You want to mount them into a pod. Which statement is correct?

A.Secrets can be mounted as volumes, but ConfigMaps cannot
B.Both ConfigMaps and Secrets can be mounted as volumes
C.ConfigMaps can be mounted as volumes, but Secrets cannot
D.ConfigMaps and Secrets can only be exposed as environment variables
AnswerB

Both resource types support volume mounting and environment variable injection.

Why this answer

Both ConfigMaps and Secrets are Kubernetes API objects designed to decouple configuration data from container images. They can be mounted as volumes into pods, allowing files to be created in the container's filesystem with the data from the ConfigMap or Secret. This is a core feature for managing configuration and sensitive data in Kubernetes.

Exam trap

CNCF often tests the misconception that Secrets and ConfigMaps have different mounting capabilities, when in fact both support volume mounts and environment variable injection, with the key difference being that Secrets are base64-encoded and intended for sensitive data.

How to eliminate wrong answers

Option A is wrong because ConfigMaps can indeed be mounted as volumes, just like Secrets. Option C is wrong because Secrets can be mounted as volumes, just like ConfigMaps. Option D is wrong because both ConfigMaps and Secrets can be exposed as environment variables AND mounted as volumes, not only as environment variables.

117
MCQhard

A cluster administrator needs to ensure that a Deployment named 'frontend' in namespace 'web' is updated with a new image version using a rolling update strategy. The current deployment has 4 replicas. The administrator runs: kubectl set image deployment/frontend frontend=nginx:1.21 -n web. Which of the following describes the expected behavior?

A.The Deployment will create a new ReplicaSet and gradually replace old pods with new ones
B.All existing pods will be deleted immediately and new pods will be created with the new image
C.The command will fail because you cannot update a Deployment using kubectl set image
D.The Deployment's image will be updated, but only the container named 'app' will be affected
AnswerA

This is the default rolling update behavior: a new ReplicaSet is created, and pods are gradually transitioned.

Why this answer

The 'kubectl set image' command triggers a rolling update on the Deployment. By default, the Deployment's strategy is RollingUpdate, which updates pods gradually. The ReplicaSet is updated, and old pods are scaled down while new ones are scaled up.

Option B incorrectly describes a Recreate update. Option C is false because the Deployment is updated in place. Option D is incorrect because the image is changed for the 'frontend' container.

118
MCQeasy

Which Kubernetes object provides stable network endpoints and load balancing for a set of pods?

A.Service
B.Deployment
C.ConfigMap
D.Pod
AnswerA

Services provide stable IPs and DNS names with load balancing across pods.

Why this answer

A Service is the correct Kubernetes object because it provides a stable virtual IP (ClusterIP) and DNS name that remains constant even as pods are created or destroyed. It automatically load-balances traffic across the set of pods matching its label selector using iptables or IPVS rules, ensuring reliable network endpoints for clients.

Exam trap

The trap here is that candidates often confuse a Deployment's ability to manage replicas with providing network access, forgetting that only a Service creates a stable, load-balanced network abstraction over pods.

How to eliminate wrong answers

Option B (Deployment) is wrong because a Deployment manages pod replicas and rolling updates, but it does not expose a stable network endpoint or perform load balancing; it relies on a Service for that. Option C (ConfigMap) is wrong because it is used to inject configuration data (key-value pairs) into pods as environment variables or files, not to provide network endpoints or load balancing. Option D (Pod) is wrong because a Pod has a dynamic IP that changes on restart, and it cannot provide stable endpoints or load balancing across multiple pods; a Service abstracts over pods to solve this.

119
Multi-Selecthard

Which THREE of the following are required for a Kubernetes pod to be considered healthy and ready to serve traffic?

Select 3 answers
A.The startup probe has succeeded.
B.The container is in the Running state.
C.The pod has at least one endpoint in its Service's endpoints list.
D.The readiness probe has succeeded.
E.The liveness probe has succeeded.
AnswersA, B, D

Startup probe indicates the application has started.

Why this answer

Option A is correct because a startup probe must succeed before the kubelet considers the container started. Until the startup probe succeeds, the readiness and liveness probes are not active, so the pod cannot be marked healthy or ready. This is defined in the Kubernetes API for startup probes, which delay the start of other probes until the application has initialized.

Exam trap

Cisco often tests the distinction between liveness and readiness probes, and the trap here is that candidates confuse a successful liveness probe (which only indicates the container is alive) with the readiness probe (which specifically controls traffic routing), leading them to incorrectly select option E.

120
MCQmedium

What is the role of etcd in a Kubernetes cluster?

A.It manages network policies
B.It stores the cluster state and configuration
C.It schedules pods onto nodes
D.It provides DNS resolution for services
AnswerB

etcd is the backing store for all cluster data.

Why this answer

etcd is a distributed key-value store that stores all cluster data, including configuration, state, and metadata.

121
Multi-Selecthard

Which TWO statements are true about Kubernetes namespaces? (Select 2)

Select 2 answers
A.All Kubernetes resources are namespaced
B.Namespaces provide network isolation by default
C.Resource quotas can be applied to a namespace to limit resource usage
D.Namespaces can be used to separate environments like dev and prod
E.Deleting a namespace automatically deletes all resources in it, including cluster-scoped resources
AnswersC, D

ResourceQuotas can be set per namespace to control aggregate resource consumption.

Why this answer

Namespaces provide logical isolation and are used to divide cluster resources among multiple users or teams. Some resources, like nodes and PersistentVolumes, are cluster-scoped and not namespaced.

122
MCQmedium

A developer wants to expose a set of pods running a web application internally within the cluster using a stable IP address. Which Kubernetes resource should they create?

A.Ingress
B.ConfigMap
C.Deployment
D.Service
AnswerD

A Service (e.g., ClusterIP) provides a stable internal IP and DNS name.

Why this answer

A Service provides a stable endpoint (IP/DNS) and load balancing for a set of pods.

123
MCQhard

You create a Deployment with 'replicas: 3' and update the pod template without changing the selector. After the update, you notice that only the new Pods are running, but old Pods have been terminated. What is the default update strategy?

A.OnDelete
B.BlueGreen
C.RollingUpdate
D.Recreate
AnswerC

RollingUpdate gradually replaces Pods; old ones are terminated as new ones become ready.

Why this answer

The default strategy for Deployments is RollingUpdate, which gradually replaces old Pods with new ones without downtime, and by default it keeps no old Pods running after the update completes.

124
MCQmedium

Which Kubernetes object is used to store non-sensitive configuration data that can be consumed by pods?

A.Secret
B.Annotation
C.Volume
D.ConfigMap
AnswerD

ConfigMap is the correct object for non-sensitive configuration.

Why this answer

ConfigMap is designed to store non-sensitive configuration data as key-value pairs or files.

125
MCQhard

A Deployment is configured with 'strategy.type: RollingUpdate' and 'strategy.rollingUpdate.maxUnavailable: 0'. What is the effect during a rolling update?

A.The update will fail because maxUnavailable must be at least 1
B.The update will not proceed until at least one new pod is ready
C.The update will proceed without any downtime
D.No pod will be terminated until a new pod is ready
AnswerD

With maxUnavailable=0, the controller cannot make any existing pods unavailable, so it must wait for new pods to become ready before terminating old ones.

Why this answer

With maxUnavailable=0, the controller ensures no pods are unavailable during the update, but it may create new pods before terminating old ones, potentially causing resource contention.

126
MCQmedium

What is the smallest deployable unit in Kubernetes that can be created and managed?

A.Deployment
B.Node
C.Container
D.Pod
AnswerD

Pod is the smallest deployable unit.

Why this answer

A Pod is the smallest and simplest Kubernetes object. It represents a single instance of a running process in the cluster.

127
MCQhard

Which of the following kubectl commands would you use to update a Deployment's image to 'nginx:1.21' and record the change in the rollout history?

A.kubectl edit deployment nginx --image=nginx:1.21
B.kubectl set image deployment/nginx nginx=nginx:1.21
C.kubectl set image deployment/nginx nginx=nginx:1.21 --record
D.kubectl patch deployment nginx -p '{"spec":{"template":{"spec":{"containers":[{"name":"nginx","image":"nginx:1.21"}]}}}}' --record
AnswerC

This updates the image and records the change in the rollout history.

Why this answer

Option C is correct because `kubectl set image deployment/nginx nginx=nginx:1.21 --record` updates the container image of the specified deployment and, with the `--record` flag, annotates the change in the rollout history (stored in the `kubernetes.io/change-cause` annotation). This allows you to later inspect the change with `kubectl rollout history deployment/nginx`.

Exam trap

CNCF often tests the `--record` flag as a subtle requirement; candidates may pick option B because it correctly updates the image but forget that the question explicitly asks to record the change in the rollout history.

How to eliminate wrong answers

Option A is wrong because `kubectl edit deployment nginx --image=nginx:1.21` is invalid syntax; `kubectl edit` opens an editor for the resource and does not accept an `--image` flag. Option B is wrong because `kubectl set image deployment/nginx nginx=nginx:1.21` updates the image but does not include the `--record` flag, so the change will not be recorded in the rollout history. Option D is wrong because while `kubectl patch` with the correct JSON patch can update the image and `--record` records it, the question specifically asks for a command to update the image and record the change; option C is the most direct and standard command for this purpose, and option D is unnecessarily complex and less idiomatic for a simple image update.

128
MCQeasy

What is the primary purpose of a Namespace in Kubernetes?

A.To set resource quotas for the entire cluster
B.To define network policies for pods
C.To manage node affinity rules
D.To isolate resources and provide a scope for names
AnswerD

Namespaces partition resources into logically named groups.

Why this answer

Namespaces provide logical isolation and scope for resources within a cluster, allowing multiple virtual clusters backed by the same physical cluster.

129
MCQeasy

Which component runs on each worker node and ensures that containers are running as specified in the Pod spec?

A.kubelet
B.kube-proxy
C.kube-scheduler
D.kube-controller-manager
AnswerA

The kubelet runs on each node and ensures containers are healthy.

Why this answer

The kubelet is the node agent that communicates with the control plane and manages containers on the node.

130
MCQeasy

A Pod is in the 'Pending' state. What is the most likely cause?

A.The Pod is still being scheduled because no Node has enough resources
B.The container image is missing
C.The Service referencing the Pod does not exist
D.The application inside the container has crashed
AnswerA

The scheduler cannot place the Pod, so it remains Pending.

Why this answer

Pending typically means the Pod has been accepted but not yet scheduled, often due to insufficient resources or node availability.

131
MCQhard

A Service of type ClusterIP is not resolving DNS names for pods. The pods are running and can communicate with each other via IP addresses. Which component should be checked first?

A.The kubelet on the node where the pod is running
B.The Service's endpoint slices
C.kube-proxy on the nodes
D.CoreDNS pods in the kube-system namespace
AnswerD

CoreDNS provides DNS resolution for cluster services.

Why this answer

CoreDNS is the cluster DNS service that provides DNS resolution for services and pods. If DNS is not working, CoreDNS pods should be checked.

132
Multi-Selectmedium

Which TWO statements correctly describe the purpose of etcd in a Kubernetes cluster?

Select 2 answers
A.It stores the cluster state, including all Kubernetes objects.
B.It manages network rules for Pod-to-Pod communication.
C.It schedules Pods onto nodes based on resource availability.
D.It exposes the Kubernetes API for external access.
E.It is a distributed key-value store that provides high availability and consistency.
AnswersA, E

etcd is the backing store for all cluster data.

Why this answer

Option A is correct because etcd is the primary data store for all Kubernetes cluster state, including the configuration and status of every Kubernetes object (Pods, Services, Deployments, etc.). It stores this information as key-value pairs, and the Kubernetes API server is the only component that reads from and writes to etcd directly. Without etcd, the cluster would have no persistent record of its desired or current state.

Exam trap

CNCF often tests the distinction between the component that stores state (etcd) and the components that use that state (scheduler, controller manager, API server), so the trap here is confusing etcd's role as a passive data store with the active management functions of other control plane components.

133
Multi-Selectmedium

Which THREE of the following are valid ways to expose a set of pods as a network service in Kubernetes?

Select 3 answers
A.ClusterIP
B.NodePort
C.LoadBalancer
D.Ingress
E.ExternalName
AnswersA, B, C

ClusterIP exposes the service on a cluster-internal IP; it is the default type.

Why this answer

A ClusterIP service exposes the set of pods on a cluster-internal IP address, making it reachable only from within the cluster. This is the default service type in Kubernetes and is valid for internal communication between workloads. It does not provide external access, but it is a core method for exposing pods as a network service.

Exam trap

CNCF often tests the distinction between service types (ClusterIP, NodePort, LoadBalancer) and other networking objects like Ingress or ExternalName, trapping candidates who think Ingress is a service type or that ExternalName exposes pods.

134
Drag & Dropmedium

Drag and drop the steps to create a Kubernetes Namespace and deploy an application into it into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create namespace, then deploy resources specifying that namespace, and verify.

135
MCQmedium

A pod is stuck in Pending state. You run 'kubectl describe pod' and see the event '0/3 nodes are available: 1 node(s) had taint(s) that the pod didn't tolerate, 2 node(s) had insufficient memory.'. What is the most likely cause?

A.The pod does not have tolerations for the node's taints and memory is insufficient on other nodes
B.The kube-scheduler is not running
C.The container runtime is not installed on any node
D.The pod's resource requests exceed available resources on all nodes
AnswerA

Why this answer

The pod cannot be scheduled because no node meets its requirements. Two nodes have insufficient memory, and one node has taints that the pod does not tolerate. The primary issue here is insufficient memory on two nodes, but the taint issue also prevents scheduling.

However, the event indicates the pod cannot tolerate the taints on one node. The most direct cause is that the pod lacks tolerations for the node's taints.

136
MCQmedium

Which component runs on every Kubernetes node and ensures that the containers in a pod are running?

A.kube-proxy
B.kube-scheduler
C.kubelet
D.container runtime
AnswerC

The kubelet is the node agent that manages pods.

Why this answer

The kubelet is the primary node agent that watches for pod specs and ensures the containers are healthy.

137
MCQmedium

What is the purpose of a liveness probe in a Kubernetes pod?

A.To check if the pod is scheduled on a node
B.To check if the container has started successfully
C.To check if the application is ready to serve traffic
D.To check if the application is still running; if not, restart the container
AnswerD

Liveness probes indicate whether the container is alive.

Why this answer

A liveness probe in Kubernetes is used to determine if a container is still running and healthy. If the probe fails, the kubelet kills the container and restarts it based on the pod's restart policy. This ensures that applications that have entered a deadlock or hung state are automatically recovered without manual intervention.

Exam trap

The trap here is that candidates often confuse liveness probes with readiness probes, mistakenly thinking liveness determines traffic readiness, but liveness is solely about container health and automatic restarts, not service connectivity.

How to eliminate wrong answers

Option A is wrong because checking if a pod is scheduled on a node is the role of the Kubernetes scheduler and is reflected in the pod's status, not a liveness probe. Option B is wrong because checking if a container has started successfully is the purpose of a startup probe, which runs before other probes to allow slow-starting applications time to initialize. Option C is wrong because checking if the application is ready to serve traffic is the purpose of a readiness probe, which controls whether the pod receives traffic from Services, not whether it should be restarted.

138
MCQmedium

Which of the following is true about Kubernetes Namespaces?

A.Objects in different namespaces cannot communicate with each other
B.Namespaces allow you to divide cluster resources between multiple users
C.Namespaces are global across all clusters
D.Namespaces provide network isolation by default
AnswerB

Namespaces enable resource quotas and RBAC to separate teams.

Why this answer

Namespaces provide a logical separation of resources within a cluster, allowing multiple teams or projects to coexist.

139
Multi-Selecthard

An administrator wants to perform a rolling update of a Deployment. Which TWO actions will achieve this?

Select 2 answers
A.Run 'kubectl set image deployment/myapp myapp=myapp:v2'
B.Run 'kubectl scale deployment myapp --replicas=0' then 'kubectl scale deployment myapp --replicas=5'
C.Run 'kubectl delete deployment' and then 'kubectl create deployment' with the new image
D.Run 'kubectl rollout undo deployment/myapp'
E.Edit the Deployment YAML to change the image version and run 'kubectl apply -f deployment.yaml'
AnswersA, E

This command updates the container image and triggers a rolling update.

Why this answer

Option A is correct because 'kubectl set image deployment/myapp myapp=myapp:v2' directly updates the container image in the Deployment's pod template, which triggers a rolling update by default. The Deployment controller then creates a new ReplicaSet with the updated image and gradually scales it up while scaling down the old ReplicaSet, ensuring zero downtime.

Exam trap

The trap here is that candidates may confuse scaling (Option B) or deleting/recreating (Option C) with a rolling update, or think that 'rollout undo' (Option D) is a way to update to a new image, when it is actually for reverting to a previous version.

140
Multi-Selectmedium

Which THREE of the following are valid Kubernetes resource types?

Select 3 answers
A.DockerImage
B.Deployment
C.ConfigMap
D.VirtualMachine
E.Service
AnswersB, C, E

A Deployment is a standard resource.

Why this answer

Deployment, Service, and ConfigMap are core Kubernetes resources. DockerImage and VirtualMachine are not native Kubernetes objects.

141
Multi-Selectmedium

Which two components are part of the Kubernetes worker node? (Select TWO)

Select 2 answers
A.kubelet
B.kube-controller-manager
C.etcd
D.kube-scheduler
E.container runtime
AnswersA, E

Kubelet manages pods on the node.

Why this answer

Kubelet and container runtime are essential components running on each worker node. Kube-proxy also runs on worker nodes but is often considered part of the node. The question asks for two, and the most fundamental are kubelet and container runtime.

142
MCQmedium

A DevOps engineer has created a ConfigMap named 'app-config' with some configuration data. They want to make that data available as environment variables in a pod. Which field in the pod spec should they use to achieve this?

A.spec.volumes
B.spec.containers[].volumeMounts
C.spec.containers[].envFrom
D.spec.containers[].env
AnswerC

envFrom takes a list of configMapRef or secretRef to populate environment variables.

Why this answer

Option C is correct because the `envFrom` field in the container spec allows you to inject all key-value pairs from a ConfigMap (or Secret) as environment variables into the container. This is the most direct and efficient way to expose ConfigMap data as environment variables without needing to specify each key individually.

Exam trap

The trap here is that candidates often confuse `envFrom` with `env` or `volumeMounts`, thinking that mounting a ConfigMap as a volume or using individual `env` entries is the only way to expose its data, but `envFrom` is the specific field designed for bulk injection of ConfigMap keys as environment variables.

How to eliminate wrong answers

Option A is wrong because `spec.volumes` defines volumes at the pod level, not environment variables; it is used for mounting data as files. Option B is wrong because `spec.containers[].volumeMounts` mounts a volume into a container's filesystem, not into environment variables. Option D is wrong because `spec.containers[].env` is used to set individual environment variables explicitly, but it does not automatically pull all data from a ConfigMap; it requires manual mapping of each key using `valueFrom`.

143
MCQmedium

Which Kubernetes controller ensures that a specified number of pod replicas are running at all times?

A.ReplicaSet
B.Job
C.ReplicationController
D.DaemonSet
AnswerA

Why this answer

A ReplicaSet is the Kubernetes controller that ensures a specified number of pod replicas are running at all times. It uses a label selector to match pods and maintains the desired replica count by creating or deleting pods as needed. ReplicaSet is the successor to ReplicationController and is primarily used by Deployments to manage pod scaling and self-healing.

Exam trap

CNCF often tests the distinction between ReplicaSet and ReplicationController, trapping candidates who think ReplicationController is still the primary controller for replica management, when in fact ReplicaSet is the modern, recommended controller.

How to eliminate wrong answers

Option B is wrong because a Job controller is designed to run a specified number of pods to completion, not to maintain a continuous replica count. Option C is wrong because ReplicationController is the older, deprecated controller that also ensures a specified number of pod replicas, but it has been superseded by ReplicaSet with more flexible label selectors; however, the question asks for the current correct answer, and ReplicaSet is the standard. Option D is wrong because a DaemonSet ensures that a copy of a pod runs on every node (or a subset of nodes), not a specified number of replicas cluster-wide.

144
Multi-Selectmedium

Which two of the following are valid ways to expose a Pod's container port to other resources? (Select two.)

Select 2 answers
A.Create a Service of type ClusterIP pointing to the Pod's port
B.Add a containerPort field in the Pod spec
C.Set the pod's hostNetwork to true
D.Create an Ingress that routes to the Service
E.Use kubectl port-forward
AnswersA, D

Service exposes the pod's port stably.

Why this answer

A Service is the standard way to expose a pod's port. An Ingress can expose HTTP routes to a Service. containerPort in the pod spec is declarative but does not create exposure by itself; it documents the port. kubectl port-forward is for debugging, not permanent exposure.

145
MCQmedium

When creating a Deployment, you want to ensure that only a certain number of pods run at a time across all nodes. Which field in the Deployment spec controls this?

A.spec.replicas
B.spec.selector
C.spec.minReadySeconds
D.spec.template
AnswerA

spec.replicas sets the desired number of pods.

Why this answer

The `spec.replicas` field in a Deployment spec defines the desired number of identical Pod replicas that should be running at any given time. This field directly controls the count of Pods across all nodes in the cluster, ensuring that exactly that many Pods are maintained by the ReplicaSet controller. Option A is correct because it is the only field that sets the target Pod count.

Exam trap

The trap here is that candidates confuse `spec.replicas` with `spec.selector`, thinking the selector controls the number of Pods, but the selector only determines which Pods are managed, not how many.

How to eliminate wrong answers

Option B is wrong because `spec.selector` defines a label query used to identify which Pods the Deployment manages, not the number of Pods. Option C is wrong because `spec.minReadySeconds` controls the minimum time a Pod must be ready before it is considered available, not the number of Pods. Option D is wrong because `spec.template` defines the Pod template (containers, volumes, etc.) used to create new Pods, not the desired count.

146
MCQmedium

A developer has created a Deployment with 3 replicas. The application should be reachable from other Pods within the same cluster. Which Kubernetes resource should be used to provide a stable network endpoint?

A.Ingress
B.Service
C.PersistentVolumeClaim
D.ConfigMap
AnswerB

Services provide stable endpoints for Pod communication.

Why this answer

A Service provides a stable network endpoint (ClusterIP) that load-balances traffic across the Pod replicas, abstracting away Pod IP changes due to restarts or scaling. This allows other Pods within the cluster to reach the application reliably using the Service's DNS name, without needing to track individual Pod IPs.

Exam trap

CNCF often tests the misconception that an Ingress is required for any network access, but the trap here is that Ingress is only for external (north-south) traffic, while internal Pod-to-Pod communication uses a Service.

How to eliminate wrong answers

Option A is wrong because an Ingress is an API object that manages external HTTP/HTTPS access to Services, not internal cluster communication; it requires a Service to route traffic to Pods. Option C is wrong because a PersistentVolumeClaim is used to request storage resources, not to provide a network endpoint for Pod-to-Pod communication. Option D is wrong because a ConfigMap is used to inject configuration data (e.g., environment variables, files) into Pods, not to expose a stable network address.

147
MCQmedium

You need to store a sensitive database password in Kubernetes. Which resource should you use?

A.PersistentVolume
B.ConfigMap
C.ServiceAccount
D.Secret
AnswerD

Secret is intended for sensitive data.

Why this answer

Secrets are designed to store sensitive data such as passwords, tokens, or keys. They are base64 encoded and can be mounted or injected as environment variables.

148
MCQmedium

A pod is experiencing high memory usage. The administrator wants to enforce that the pod is terminated if it exceeds a memory limit and restarted automatically, but also wants to guarantee a minimum amount of memory for the pod. Which resource specification should be used in the container definition?

A.spec.containers[].resources.requests.memory only
B.spec.containers[].resources.limits.memory and requests.cpu
C.spec.containers[].resources.limits.memory only
D.spec.containers[].resources.requests.memory and limits.memory
AnswerD

Requests guarantee the minimum; limits cap the maximum. If memory exceeds limits, the pod is OOMKilled and restarted.

Why this answer

Option D is correct because setting both `requests.memory` and `limits.memory` guarantees a minimum memory allocation (the request) while enforcing a hard cap (the limit). If the pod exceeds the memory limit, it is terminated (OOMKilled) and, if part of a Deployment or StatefulSet, the controller automatically restarts it. This satisfies the requirement for both guaranteed minimum and enforced maximum with automatic restart.

Exam trap

CNCF often tests the misconception that setting only `limits.memory` is sufficient for both guarantee and enforcement, but without `requests.memory` the pod has no guaranteed minimum and may be evicted under node pressure, failing the 'guarantee a minimum' requirement.

How to eliminate wrong answers

Option A is wrong because `requests.memory` only sets the minimum guaranteed memory but does not enforce any upper limit; the pod could consume unlimited memory and cause node instability. Option B is wrong because `limits.memory` and `requests.cpu` do not address memory limits at all — `requests.cpu` only guarantees CPU, not memory, so the pod could still exceed memory without being terminated. Option C is wrong because `limits.memory` alone enforces a hard cap but does not guarantee a minimum memory allocation; the pod could be starved or evicted if the node is under pressure, failing the 'guarantee a minimum amount of memory' requirement.

149
MCQmedium

A developer creates a Deployment with 3 replicas. The developer runs 'kubectl get pods' immediately after creation and sees that only 1 pod is in Running state, and the other 2 are Pending. What is the most likely reason for this?

A.The cluster does not have enough resources (CPU/memory) to schedule the additional pods
B.The Deployment's YAML has a syntax error
C.The container image is not available on the worker nodes
D.The kubelet on the node is not running
AnswerA

If nodes lack sufficient resources, new pods remain Pending until resources become available or are released.

Why this answer

When a Pod remains in Pending state, it indicates that the scheduler cannot find a suitable node to place it. The most common cause is insufficient cluster resources (CPU or memory) to accommodate the additional Pods, as the scheduler checks node allocatable resources against Pod resource requests. With 2 out of 3 Pods pending, the cluster likely has enough resources for only one replica, leaving the others unscheduled.

Exam trap

CNCF often tests the distinction between Pod lifecycle phases — Pending means scheduling failure, not image or runtime issues — so candidates mistakenly associate Pending with image pull errors or node problems rather than resource insufficiency.

How to eliminate wrong answers

Option B is wrong because a syntax error in the Deployment YAML would cause the API server to reject the resource creation entirely, resulting in no Pods being created at all, not a mix of Running and Pending Pods. Option C is wrong because if the container image were unavailable, the Pods would transition to ImagePullBackOff or ErrImagePull state, not remain Pending — Pending means scheduling hasn't occurred yet. Option D is wrong because if the kubelet were not running on a node, that node would be marked as NotReady, but the scheduler would still attempt to schedule Pods to other nodes; the issue here is that no node has enough resources, not that a node is offline.

150
Multi-Selectmedium

Which two components are part of the Kubernetes control plane? (Select two.)

Select 2 answers
A.etcd
B.kube-proxy
C.kube-apiserver
D.kubelet
E.container runtime
AnswersA, C

etcd is a control plane component.

Why this answer

The control plane includes kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy are worker node components.

← PreviousPage 2 of 6 · 436 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Kcna Kubernetes Fundamentals questions.