CCNA Kcna Kubernetes Fundamentals Questions

75 of 436 questions · Page 5/6 · Kcna Kubernetes Fundamentals topic · Answers revealed

301
MCQmedium

Which component is responsible for ensuring that containers are running as specified in a Pod's specification on a node?

A.Container runtime
B.kubelet
C.kube-proxy
D.kube-scheduler
AnswerB

The kubelet ensures that containers in a Pod are running according to the PodSpec.

Why this answer

Option B is correct. The kubelet is the primary node agent that communicates with the container runtime and ensures containers are running and healthy. kube-proxy manages network rules, the container runtime runs containers but is not directly responsible for enforcing the spec, and the scheduler assigns pods to nodes.

302
MCQmedium

A user runs 'kubectl create deployment my-deploy --image=nginx' and then wants to scale the deployment to 5 replicas. Which command should they use?

A.kubectl apply -f deployment.yaml with replicas: 5
B.kubectl edit deployment my-deploy and change replicas to 5
C.kubectl patch deployment my-deploy -p '{"spec":{"replicas":5}}'
D.kubectl scale deployment my-deploy --replicas=5
AnswerD

Correct command.

Why this answer

kubectl scale deployment my-deploy --replicas=5 is the direct command to change the replica count.

303
MCQhard

A pod in a ReplicaSet is failing with 'CrashLoopBackOff'. 'kubectl logs pod' shows 'Error: listen tcp :8080: bind: address already in use'. What is the most likely cause?

A.The readiness probe is misconfigured.
B.The container image is missing the application binary.
C.The container's process is not terminating quickly enough on SIGTERM, causing a port conflict on restart.
D.The pod is using hostPort and two pods on the same node conflict.
AnswerC

Old process still holds the port.

Why this answer

The error 'address already in use' on port 8080 indicates that when the container restarts, the previous process is still holding the port. This typically happens when the application does not handle SIGTERM properly and does not shut down within the terminationGracePeriodSeconds (default 30s), so the old process lingers while the new one tries to bind to the same port, causing a CrashLoopBackOff.

Exam trap

CNCF often tests the distinction between pod startup failures caused by resource constraints or probe misconfiguration versus application-level port conflicts that arise from improper signal handling during restarts.

How to eliminate wrong answers

Option A is wrong because a misconfigured readiness probe would cause the pod to be marked as not ready, but it would not produce a 'bind: address already in use' error in the logs. Option B is wrong because if the container image were missing the application binary, the error would be something like 'executable file not found' or 'no such file or directory', not a port binding error. Option D is wrong because hostPort is used for port mapping to the node, but the error is about a port conflict inside the same container on restart, not between two different pods on the same node.

304
MCQeasy

What is the primary purpose of a Kubernetes Service object?

A.To store configuration data that can be consumed by Pods
B.To manage rolling updates and rollbacks for Pods
C.To provide a stable IP address and DNS name for a set of Pods
D.To persist data beyond the lifecycle of a Pod
AnswerC

Services create a durable endpoint that abstracts the underlying Pod IPs, supporting load balancing and service discovery.

Why this answer

Option B is correct. A Service provides a stable network endpoint (IP and DNS name) for a set of Pods, enabling reliable communication even as Pods are created or terminated. Pods themselves have ephemeral IPs.

Services do not provide storage or configuration data.

305
Multi-Selectmedium

Which TWO of the following are Kubernetes control plane components?

Select 2 answers
A.kube-apiserver
B.container runtime
C.etcd
D.kube-proxy
E.kubelet
AnswersA, C

The API server is a core control plane component.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane, exposing the Kubernetes API. It validates and processes RESTful requests (using JSON/YAML over HTTP/HTTPS) that create, update, or delete cluster resources, and it is the only component that communicates directly with etcd. Without the API server, no control plane operations can be performed.

Exam trap

CNCF often tests the distinction between control plane and worker node components, expecting candidates to mistakenly include kubelet or kube-proxy as control plane components because they are essential for cluster operation but run on nodes, not the control plane.

306
MCQhard

A pod is stuck in Terminating state for several minutes. What is the most likely cause?

A.The node is unreachable or the kubelet is not responding
B.The deployment is configured with a grace period
C.The pod has a liveness probe that is failing
D.The pod's container runtime is paused
AnswerA

If the kubelet cannot be contacted, the pod cannot be terminated.

Why this answer

When a pod is stuck in Terminating state, the most likely cause is that the node where the pod was running is unreachable or the kubelet is not responding. The kubelet is responsible for executing the pod's termination lifecycle, including sending SIGTERM and, after the grace period, SIGKILL. If the kubelet cannot communicate with the API server (e.g., due to node failure, network partition, or kubelet crash), the pod's finalizer cannot be removed, leaving it stuck in Terminating.

Exam trap

CNCF often tests the misconception that a failing liveness probe or a misconfigured grace period causes a pod to be stuck in Terminating, when in fact the root cause is almost always a node or kubelet communication issue.

How to eliminate wrong answers

Option B is wrong because a deployment configured with a grace period (terminationGracePeriodSeconds) is normal and does not cause a pod to be stuck; the pod will be forcefully terminated after the grace period expires. Option C is wrong because a failing liveness probe causes the pod to be restarted or recreated, not stuck in Terminating; liveness probes affect running pods, not termination. Option D is wrong because a paused container runtime would prevent the pod from starting or running, but it does not prevent the kubelet from completing the termination process; the kubelet can still force-kill the container.

307
Multi-Selectmedium

Which TWO statements about Namespaces are correct?

Select 2 answers
A.Namespaces provide a way to divide cluster resources among multiple users
B.Namespaces act as a strong security boundary by default
C.Namespaces help organize objects in a cluster
D.Every resource must be created in a namespace
E.Resources in different namespaces cannot communicate with each other
AnswersA, C

Namespaces enable resource quotas and access control scoping.

Why this answer

Option A is correct because Namespaces in Kubernetes provide a mechanism for partitioning a single cluster into multiple virtual clusters, enabling resource quota management and access control for different users or teams. This allows administrators to divide cluster resources (like CPU, memory, and storage) among multiple users via ResourceQuotas and LimitRanges, without requiring separate physical clusters.

Exam trap

CNCF often tests the misconception that Namespaces provide strong security isolation by default, when in reality they only offer logical separation and require explicit NetworkPolicies and RBAC for security.

308
MCQeasy

What is the primary purpose of a Kubernetes Service?

A.To manage container image versions
B.To store configuration data as key-value pairs
C.To provide a stable endpoint for accessing a set of pods
D.To schedule pods onto nodes
AnswerC

A Service exposes a logical set of pods with a stable IP and DNS name, enabling reliable communication.

Why this answer

A Kubernetes Service provides a stable, virtual IP address and DNS name that acts as a consistent endpoint for accessing a set of pods, regardless of pod IP changes due to scaling, restarts, or scheduling. It decouples frontend clients from backend pods by using label selectors to route traffic, ensuring high availability and load balancing across the pod group.

Exam trap

The trap here is that candidates confuse a Service with a Deployment or ReplicaSet, thinking its purpose is to manage pod lifecycle or scaling, rather than understanding it is purely a networking abstraction for stable pod access.

How to eliminate wrong answers

Option A is wrong because managing container image versions is the responsibility of container registries and image tags, not a Service; this is handled by tools like Docker Hub or Kubernetes image pull policies. Option B is wrong because storing configuration data as key-value pairs is the purpose of a ConfigMap or Secret, not a Service; Services handle network abstraction, not configuration storage. Option D is wrong because scheduling pods onto nodes is the job of the Kubernetes Scheduler, which uses resource requests and constraints, not a Service; a Service only routes traffic to already-scheduled pods.

309
Multi-Selecteasy

Which TWO of the following are functions of the kube-controller-manager?

Select 2 answers
A.Managing replication and ensuring the desired number of pods are running
B.Storing cluster state
C.Exposing the Kubernetes API
D.Monitoring node health and responding to node failures
E.Assigning pods to nodes
AnswersA, D

The replication controller ensures the correct number of pod replicas.

Why this answer

The kube-controller-manager runs controller processes that regulate the state of the cluster. The replication controller (part of the controller manager) ensures that the actual number of pod replicas matches the desired count specified in a ReplicaSet or ReplicationController, automatically creating or terminating pods as needed. Additionally, the node controller within the kube-controller-manager periodically checks node health via the Node Lifecycle Controller, which monitors heartbeats (NodeStatus updates) and responds to node failures by tainting the node and evicting pods after a configurable timeout (default 5 minutes).

Exam trap

CNCF often tests the distinction between the kube-controller-manager and the kube-scheduler, so the trap here is that candidates mistakenly think pod-to-node assignment is a controller function, when it is exclusively handled by the scheduler.

310
MCQeasy

Which component runs on every worker node and is responsible for maintaining the lifecycle of pods?

A.container runtime
B.kube-scheduler
C.kubelet
D.kube-proxy
AnswerC

kubelet runs on each node and manages pods and containers.

Why this answer

kubelet is the primary node agent that ensures containers are running as expected in a pod.

311
MCQmedium

A pod is in 'Pending' state for a long time. What is the most likely cause?

A.The pod's container has crashed
B.The pod's service endpoint is misconfigured
C.The scheduler cannot find a node that satisfies the pod's resource requests or constraints
D.The container image is invalid
AnswerC

If no node meets the pod's requirements, the pod remains unscheduled.

Why this answer

A pod remains in 'Pending' state when it has been accepted by the API server but cannot be scheduled onto a node. The most common cause is that the scheduler cannot find a node that meets the pod's resource requests (CPU/memory) or constraints (node selectors, affinity rules, taints/tolerations). Until a suitable node is found, the pod stays in Pending, waiting for scheduling.

Exam trap

CNCF often tests the distinction between scheduling failures (Pending) and runtime failures (CrashLoopBackOff, ImagePullBackOff), so the trap here is confusing a pod that cannot be placed on a node with a pod that fails after it starts running.

How to eliminate wrong answers

Option A is wrong because a container crash (e.g., CrashLoopBackOff) occurs after the pod is scheduled and running, not while it is still in Pending. Option B is wrong because a misconfigured service endpoint (e.g., wrong selector or port) affects network connectivity to the pod, not the pod's scheduling state; the pod would still be scheduled and running. Option D is wrong because an invalid container image (e.g., wrong tag or registry path) causes the pod to fail during container creation after scheduling, resulting in ImagePullBackOff or ErrImagePull, not a prolonged Pending state.

312
MCQeasy

Which kubectl command would you use to view the logs of a specific pod?

A.kubectl logs <pod-name>
B.kubectl exec <pod-name> -- logs
C.kubectl describe pod <pod-name>
D.kubectl get logs <pod-name>
AnswerA

This is the correct command to retrieve pod logs.

Why this answer

The 'kubectl logs' command is used to fetch logs from containers in a pod.

313
MCQeasy

What is the smallest deployable unit in Kubernetes that can be created and managed?

A.Container
B.Pod
C.Service
D.Deployment
AnswerB

Why this answer

The Pod is the smallest and simplest unit in the Kubernetes object model that you can create and manage. It represents a single instance of a running process in the cluster and encapsulates one or more containers, shared storage, and a unique cluster IP. While containers are the runtime units, Kubernetes does not manage containers directly; it manages Pods, which are the atomic scheduling unit.

Exam trap

The trap here is that candidates confuse containers (the runtime process) with Pods (the Kubernetes API object), leading them to pick 'Container' because they think of Docker-style units, but Kubernetes always wraps containers inside Pods as the smallest deployable and manageable entity.

How to eliminate wrong answers

Option A is wrong because a container is not a Kubernetes API object; it is a runtime abstraction managed by the container runtime (e.g., containerd), and Kubernetes schedules and manages Pods, not individual containers. Option C is wrong because a Service is an abstraction that defines a logical set of Pods and a policy to access them; it is not a deployable unit but a networking resource that sits above Pods. Option D is wrong because a Deployment is a higher-level controller that manages ReplicaSets and Pods, providing declarative updates and scaling; it is not the smallest unit but a management layer over Pods.

314
MCQmedium

You want to run a batch job that processes data and then terminates. Which Kubernetes resource is best suited for this workload?

A.StatefulSet
B.DaemonSet
C.Job
D.Deployment
AnswerC

Why this answer

A Kubernetes Job is designed for batch processing workloads that run to completion and then terminate. Unlike controllers that maintain a desired number of running Pods (like Deployments or StatefulSets), a Job creates one or more Pods and ensures they successfully exit. Once the specified number of successful completions is reached, the Job stops, making it the ideal choice for a one-time data processing task.

Exam trap

CNCF often tests the distinction between controllers that maintain 'desired state' (Deployments, StatefulSets) versus controllers that manage 'completion' (Jobs), and the trap here is that candidates mistakenly choose Deployment for any workload that 'processes data' without recognizing the terminating nature of the task.

How to eliminate wrong answers

Option A is wrong because a StatefulSet is used for stateful applications that require stable, unique network identities and persistent storage (e.g., databases), not for terminating batch jobs. Option B is wrong because a DaemonSet ensures that a copy of a Pod runs on every node (or a subset of nodes) in the cluster, typically for cluster-level services like logging or monitoring, not for one-off tasks. Option D is wrong because a Deployment manages a set of identical Pods with a desired replica count and supports rolling updates, but it is designed for long-running services, not for workloads that should terminate after completion.

315
Multi-Selecthard

Which TWO of the following statements about Kubernetes namespaces are true?

Select 3 answers
A.Services in different namespaces cannot communicate with each other
B.Every Kubernetes object must be created in a namespace
C.Deleting a namespace will delete all objects in it
D.Namespaces can be used to implement resource quotas
E.Namespaces provide a way to divide cluster resources between multiple users
AnswersC, D, E

Deleting a namespace cascades to all resources within it.

Why this answer

Namespaces provide logical isolation and can be used to separate environments, but not all objects are namespaced (e.g., nodes).

316
MCQhard

Which of the following kubectl commands would you use to apply a manifest file and also save it for later updates?

A.kubectl create -f manifest.yaml
B.kubectl patch -f manifest.yaml
C.kubectl replace -f manifest.yaml
D.kubectl apply -f manifest.yaml
AnswerD

Apply is the recommended declarative approach.

Why this answer

The 'kubectl apply' command is used to apply a configuration to a resource by file or stdin. It also supports declarative management, tracking changes for updates.

317
MCQmedium

A Deployment named 'nginx' is failing to update. You run 'kubectl rollout status deployment nginx' and see 'Waiting for deployment "nginx" rollout to finish: 0 out of 3 new replicas have been updated...'. The pod template has an image that does not exist. What is the most likely cause?

A.The cluster is out of memory
B.The deployment has exceeded the revision history limit
C.The deployment is paused
D.The new image tag is incorrect or does not exist in the registry
AnswerD

Non-existent image leads to ImagePullBackOff, preventing new replicas from becoming ready.

Why this answer

Option D is correct because the rollout status shows that no new replicas have been created, which is a classic symptom of a container image pull failure. When the image tag specified in the pod template does not exist in the registry, the kubelet cannot pull the image, so the ReplicaSet controller cannot start new pods. This prevents the rollout from progressing past 0 out of 3 new replicas.

Exam trap

The trap here is that candidates may confuse a stuck rollout with resource constraints (memory/CPU) or assume the deployment is paused, but the specific status message '0 out of 3 new replicas have been updated' directly points to an image pull failure, not a scheduling or pause issue.

How to eliminate wrong answers

Option A is wrong because a cluster out-of-memory condition would typically cause pods to be in a Pending state with 'Insufficient memory' events, not a stuck rollout with 0 new replicas; the scheduler would fail to place pods, but the image pull issue is unrelated to memory. Option B is wrong because exceeding the revision history limit (default 10) only affects the number of old ReplicaSets retained, not the ability to create new replicas; the rollout would still proceed and create new pods. Option C is wrong because a paused deployment would show a different status message, such as 'deployment "nginx" paused', and the rollout status command would not report 'Waiting for deployment... rollout to finish'; paused deployments do not attempt to create new replicas at all.

318
MCQmedium

You create a Pod with the following YAML. What will happen when you apply it?

A.The Pod will fail to create because memory and CPU are in the wrong unit
B.The Pod will be created with memory limit of 128Mi and CPU limit of 500m
C.The Pod will be created without resource limits because the syntax is incorrect
D.The Pod will be created but requests and limits will be ignored because they are not valid for Pods
AnswerB

The YAML correctly specifies limits and requests.

Why this answer

Option B is correct because the YAML defines resource limits and requests using standard Kubernetes units: '128Mi' for memory (mebibytes) and '500m' for CPU (millicores). These are valid and will be applied to the container, creating the Pod with the specified limits.

Exam trap

CNCF often tests the misconception that resource units like '128Mi' or '500m' are invalid or that resource limits are not applicable to Pods, when in fact they are standard and correctly applied to containers.

How to eliminate wrong answers

Option A is wrong because '128Mi' and '500m' are correct Kubernetes resource units (Mi = mebibytes, m = millicores), not invalid. Option C is wrong because the syntax is correct; resource limits are defined under 'resources.limits' and will be applied. Option D is wrong because resource limits and requests are valid for containers within a Pod, and they are not ignored; they are enforced by the kubelet.

319
MCQmedium

A user wants to view the logs from a container named 'app' inside a multi-container pod named 'web'. Which kubectl command should be used?

A.kubectl logs web -c app
B.kubectl logs app web
C.kubectl logs web --container=app
D.kubectl logs web app
AnswerA, C

This is the correct command to view logs from a specific container.

Why this answer

The -c flag specifies the container name when a pod has multiple containers.

320
MCQhard

You have a multi-container pod with containers 'app' and 'sidecar'. You need to execute a shell command inside the 'sidecar' container. Which kubectl command should you use?

A.kubectl exec -it mypod -- /bin/sh
B.kubectl exec -it sidecar --container mypod -- /bin/sh
C.kubectl exec -it mypod --container sidecar -- /bin/sh
D.kubectl exec -it mypod -c sidecar -- /bin/sh
AnswerD

The -c flag specifies the container to exec into.

Why this answer

Option D is correct because `kubectl exec` uses the `-c` flag (or `--container`) to specify a target container within a multi-container pod. The syntax `kubectl exec -it mypod -c sidecar -- /bin/sh` opens an interactive shell in the 'sidecar' container of the pod named 'mypod'. Without the `-c` flag, the command defaults to the first container in the pod's spec, which would be 'app'.

Exam trap

CNCF often tests the misconception that `kubectl exec` defaults to the first container or that the container flag is optional, leading candidates to pick option A, which would execute in the wrong container.

How to eliminate wrong answers

Option A is wrong because it omits the `-c` flag, so the shell executes in the first container (typically 'app') rather than 'sidecar'. Option B is wrong because it incorrectly places `--container mypod` as a value for the container flag; the flag expects a container name, not a pod name, and the pod name should follow `exec`. Option C is wrong because it uses `--container sidecar` after the pod name, which is syntactically valid but not the standard short form; however, the primary issue is that the order of arguments is non-standard and could cause confusion, but the real trap is that `--container` is a valid alternative to `-c`, so this option is actually correct in function but not the preferred or most common syntax; however, for the KCNA exam, the `-c` flag is the standard and expected answer, and option C uses the long form `--container` which is also acceptable but less concise.

The question asks 'Which kubectl command should you use?' and D is the most direct and standard form.

321
MCQeasy

Which Kubernetes object provides stable network endpoints and load balancing for a set of pods?

A.Deployment
B.ConfigMap
C.Service
D.Pod
AnswerC

Service provides a stable endpoint and load balancing for pods.

Why this answer

A Service provides a stable IP and DNS name, and load balances traffic across pods selected by labels.

322
MCQeasy

What is the primary purpose of Kubernetes?

A.To replace Docker as a container runtime
B.To provide a graphical user interface for managing containers
C.To automate deployment, scaling, and operations of application containers across clusters
D.To provide a virtual machine management platform
AnswerC

This is the core purpose of Kubernetes.

Why this answer

Kubernetes is a container orchestration platform that automates deployment, scaling, and management of containerized applications.

323
Multi-Selecthard

Which THREE of the following are valid reasons to use a StatefulSet instead of a Deployment? (Select 3)

Select 3 answers
A.You only need a single instance of the application
B.You need stable, unique network identifiers (e.g., pod hostnames) that persist across reschedules
C.You need each pod to have its own persistent storage that is not shared
D.You need to deploy a stateless web application with multiple replicas
E.You need ordered, graceful deployment and scaling (e.g., pod-0 starts before pod-1)
AnswersB, C, E

StatefulSets provide stable network identities (e.g., pod-0, pod-1) that are maintained across rescheduling.

Why this answer

StatefulSets provide stable, unique network identifiers (e.g., pod hostnames) that persist across reschedules because each pod gets a fixed ordinal index (e.g., pod-0, pod-1) and a corresponding DNS name (e.g., pod-0.statefulset.namespace.svc.cluster.local). This is essential for applications like databases (e.g., Cassandra, ZooKeeper) that rely on consistent peer discovery and identity, which Deployments cannot guarantee since they assign random pod names and IPs.

Exam trap

CNCF often tests the misconception that StatefulSets are only for persistent storage, but the trap here is that candidates overlook the requirement for stable network identities and ordered operations, which are equally critical and distinct from storage needs.

324
MCQmedium

Which of the following is true about Kubernetes Namespaces?

A.Namespaces can help organize and manage resources in a cluster
B.Resource names must be unique across all namespaces
C.Namespaces provide network isolation between resources
D.You must create a namespace before creating any resources
AnswerA

Namespaces are used to divide cluster resources between multiple users/teams.

Why this answer

Namespaces provide a mechanism for isolating groups of resources within a single cluster, but they do not provide network isolation by default (that requires NetworkPolicies).

325
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Deployment
B.Pod
C.Container
D.Node
AnswerB

A Pod is the smallest deployable unit that can be created and managed in Kubernetes.

Why this answer

The Pod is the smallest deployable unit in Kubernetes because it represents a single instance of a running process in the cluster and encapsulates one or more containers with shared storage and network resources. While containers are the runtime units, Kubernetes schedules and manages Pods, not individual containers, making the Pod the atomic building block for deployment.

Exam trap

CNCF often tests the misconception that a container is the smallest deployable unit because containers are the runtime entities, but Kubernetes abstracts them into Pods for scheduling and resource sharing, so candidates who confuse 'runtime unit' with 'deployable unit' will incorrectly select Container.

How to eliminate wrong answers

Option A is wrong because a Deployment is a higher-level abstraction that manages ReplicaSets and Pods, not the smallest deployable unit itself. Option C is wrong because a Container is the runtime process inside a Pod, but Kubernetes cannot schedule or manage a container directly without a Pod wrapper. Option D is wrong because a Node is a worker machine in the cluster that hosts Pods, not a deployable unit — you deploy Pods onto Nodes, not Nodes themselves.

326
MCQmedium

A team wants to minimize downtime during a Deployment rollout. Which strategy ensures that new pods are created before old pods are terminated?

A.Set strategy type to 'Recreate'.
B.Set strategy type to 'RollingUpdate' with maxSurge=0, maxUnavailable=1.
C.Set strategy type to 'RollingUpdate' with maxSurge=1, maxUnavailable=0.
D.Set strategy type to 'RollingUpdate' with maxSurge=1, maxUnavailable=1.
AnswerC

New pods are created first, ensuring zero downtime.

Why this answer

Option C is correct because setting `maxSurge=1` and `maxUnavailable=0` in a RollingUpdate strategy ensures that one additional pod is created above the desired replica count before any existing pod is terminated. This guarantees zero downtime by maintaining full capacity during the rollout, as new pods become ready before old ones are removed.

Exam trap

The trap here is that candidates often confuse `maxSurge` and `maxUnavailable` values, mistakenly thinking that allowing both a surge and an unavailable pod (option D) is safer, when in fact it can still cause a temporary capacity drop if the new pod is not ready before the old one is terminated.

How to eliminate wrong answers

Option A is wrong because the 'Recreate' strategy terminates all old pods before creating new ones, causing downtime. Option B is wrong because `maxSurge=0, maxUnavailable=1` terminates one old pod before creating a new one, which can cause a temporary capacity deficit and potential downtime. Option D is wrong because `maxSurge=1, maxUnavailable=1` allows both a new pod to be created and an old pod to be terminated simultaneously, which may still result in a brief capacity drop if the new pod is not ready before the old one is removed.

327
MCQeasy

What is the primary purpose of Kubernetes?

A.To provide a graphical user interface for managing containers
B.To replace Docker as a container runtime
C.To automate deployment, scaling, and management of containerized applications
D.To compile source code into container images
AnswerC

This is the core purpose of Kubernetes.

Why this answer

Kubernetes is a container orchestration platform used to automate the deployment, scaling, and management of containerized applications.

328
Multi-Selectmedium

Which three of the following are valid methods to create or update resources in Kubernetes? (Choose three.)

Select 3 answers
A.kubectl apply -f manifest.yaml
B.kubectl update -f manifest.yaml
C.kubectl replace -f manifest.yaml
D.kubectl create -f manifest.yaml
E.Using the Kubernetes REST API directly
AnswersA, D, E

apply creates/updates resources declaratively.

Why this answer

kubectl apply and kubectl create are used to create/update resources by declarative or imperative approach. Direct API calls also work. kubectl update does not exist.

329
MCQmedium

Which kubectl command is used to apply a manifest file to create or update resources?

A.kubectl update -f manifest.yaml
B.kubectl run -f manifest.yaml
C.kubectl apply -f manifest.yaml
D.kubectl create -f manifest.yaml
AnswerC

This is the correct declarative command.

Why this answer

'kubectl apply' uses a declarative approach to create or update resources defined in a file.

330
MCQhard

A user creates a Pod with a PersistentVolumeClaim (PVC) that requests 5Gi of storage. The cluster has two PersistentVolumes (PVs): PV1 (3Gi, AccessModes: ReadWriteOnce) and PV2 (10Gi, AccessModes: ReadOnlyMany). The PVC specifies storageClassName: "" and AccessModes: ReadWriteOnce. Which PV will bind to the PVC?

A.PV2 will bind because it has sufficient capacity.
B.Neither PV will bind; the PVC will remain pending.
C.PV1 will bind because it has matching AccessModes.
D.Both PVs will bind to satisfy the request.
AnswerB

No PV satisfies both capacity and access mode requirements.

Why this answer

The PVC requests ReadWriteOnce, so PV2 (ReadOnlyMany) does not match. PV1 matches AccessModes and storageClassName is empty (implies no storage class), but PV1's capacity (3Gi) is less than the request (5Gi). No PV matches, so the PVC remains unbound.

331
MCQmedium

Which command is used to view the logs of a pod named 'web-pod'?

A.kubectl logs web-pod
B.kubectl describe pod web-pod
C.kubectl get logs web-pod
D.kubectl exec web-pod -- logs
AnswerA

kubectl logs retrieves container logs.

Why this answer

kubectl logs <pod-name> fetches the standard output/error logs from the pod's containers.

332
MCQeasy

Which kubectl command can be used to view detailed information about a specific pod, including its current state, events, and resource usage?

A.kubectl describe pod <pod-name>
B.kubectl logs <pod-name>
C.kubectl exec <pod-name> -- /bin/sh
D.kubectl get pod <pod-name> -o yaml
AnswerA

The describe command gives a comprehensive overview including status, conditions, and events.

Why this answer

'kubectl describe pod <pod-name>' provides detailed information about a pod, including events, state, and configuration.

333
MCQhard

An application running in a Kubernetes cluster needs to securely access a third-party API. The API key must be stored in the cluster and mounted into the Pod as an environment variable. Which is the best practice?

A.Create a Secret with the API key and use envFrom or valueFrom in the Pod spec.
B.Store the API key in a ConfigMap and reference it in the Pod spec.
C.Embed the API key directly in the container image.
D.Store the API key in a Pod annotation and read it with kubectl.
AnswerA

Secrets are designed for confidential data and can be injected as environment variables.

Why this answer

Option C is correct: Secrets should be used for sensitive data like API keys. They are base64 encoded and can be mounted as env vars. Option A is wrong because ConfigMaps are for non-sensitive data.

Option B is wrong because storing secrets in plaintext in the image is insecure. Option D is wrong because storing secrets in annotations is not designed for that purpose and is insecure.

334
MCQhard

You have a pod that is scheduled on a node with insufficient memory. The pod's manifest does not have a memory limit, but the node is under memory pressure. What is likely to happen to the pod?

A.The pod will continue running normally because it has no limit
B.The pod will be evicted and rescheduled on a different node
C.The pod will be terminated with a 'CrashLoopBackOff' status
D.The pod will be terminated with a 'OOMKilled' status
AnswerD

OOMKilled occurs when a container is killed by the kernel due to memory exhaustion.

Why this answer

If a pod has no memory limit, it can use as much memory as needed. When the node is under memory pressure, the kernel's OOM killer may target the pod, leading to OOMKilled.

335
Multi-Selecthard

Which THREE of the following are true about Kubernetes labels and selectors?

Select 3 answers
A.Labels are encrypted at rest by default
B.Set-based selectors support operators like 'In' and 'NotIn'
C.Selectors can be used by Services to identify which pods to route traffic to
D.Labels are immutable after creation
E.Labels can be used to organize and select subsets of objects
AnswersB, C, E

Set-based selectors support 'In', 'NotIn', 'Exists', and 'DoesNotExist'.

Why this answer

Option B is correct because Kubernetes set-based selectors support operators like 'In', 'NotIn', 'Exists', and 'DoesNotExist', allowing more flexible matching than equality-based selectors. This is defined in the Kubernetes API specification for label selectors, enabling complex filtering of resources.

Exam trap

CNCF often tests the misconception that labels are immutable like certain other Kubernetes fields, but labels are explicitly designed to be mutable for dynamic resource management.

336
MCQmedium

Which Kubernetes object provides a stable IP address and DNS name to access a set of pods, and can perform load balancing?

A.Service
B.Ingress
C.Deployment
D.Pod
AnswerA

Services provide stable IP and DNS, and load balance traffic to selected pods.

Why this answer

A Service of type ClusterIP (default) provides a stable endpoint and load balancing across pods matching its selector.

337
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Node
B.Container
C.Deployment
D.Pod
AnswerD

A Pod is the atomic unit of scheduling in Kubernetes.

Why this answer

A Pod is the smallest and simplest unit that can be created and managed in Kubernetes.

338
MCQmedium

Two pods, 'app-v1' and 'app-v2', both have a label 'app: myapp'. A Service 'my-service' has a selector 'app: myapp'. How many endpoints will the Service initially have?

A.2
B.1
C.0
D.Depends on pod readiness
AnswerA

Both pods have the label 'app: myapp', so both are selected and become endpoints.

Why this answer

Option A is correct because the Service's selector 'app: myapp' matches both pods 'app-v1' and 'app-v2', which both carry the label 'app: myapp'. The Service controller automatically creates endpoints for all pods matching the selector, regardless of their readiness state, unless a headless service or custom endpoint logic is involved. Initially, both pods are considered ready by default (unless a readiness probe fails), so the Service will have two endpoints.

Exam trap

The trap here is that candidates often confuse the initial endpoint count with the number of ready pods, but Kubernetes creates endpoints for all matching pods immediately, and readiness only affects traffic routing, not the endpoint count itself.

How to eliminate wrong answers

Option B is wrong because it assumes only one pod matches the selector, but both pods have the label 'app: myapp', so both are selected. Option C is wrong because it suggests no endpoints are created, but the Service controller immediately creates endpoints for all matching pods; zero endpoints would only occur if no pods matched the selector. Option D is wrong because pod readiness does not affect the initial creation of endpoints; endpoints are created for all matching pods, and readiness only affects whether traffic is routed to them (via the endpoints controller removing unready pods from the endpoint list).

339
MCQmedium

A team notices that a pod remains in 'CrashLoopBackOff' state after deployment. The application logs show 'Error: unable to bind to port 8080'. What is the most likely cause?

A.The pod's resource limits are too low.
B.An environment variable has a typo in the Deployment spec.
C.The readiness probe is misconfigured.
D.The container's port is already in use on the host node.
AnswerD

Correct; port conflict prevents binding, causing container to exit.

Why this answer

The error 'unable to bind to port 8080' indicates that the container process cannot open port 8080 for listening. The most likely cause is that another process on the host node is already using port 8080, preventing the container from binding to it. This is a classic port conflict scenario, where the host's network namespace has a port already allocated, and the container (even with its own network namespace) may be using host networking or the port is mapped from the host.

Exam trap

Cisco often tests the misconception that a 'CrashLoopBackOff' with a port bind error is caused by resource limits or probe misconfiguration, when in reality it points to a network-level port conflict on the host node.

How to eliminate wrong answers

Option A is wrong because resource limits being too low would cause the pod to be OOMKilled or throttled, not a bind error on a specific port. Option B is wrong because a typo in an environment variable would cause the application to misread configuration, but the error message explicitly states a port binding failure, not a missing or incorrect variable. Option C is wrong because a misconfigured readiness probe would cause the pod to be marked as not ready and removed from service endpoints, but the pod would still start and run; the error here occurs at container startup before any probe can fail.

340
MCQeasy

What is the smallest deployable unit in Kubernetes?

A.Pod
B.Node
C.Container
D.Deployment
AnswerA

A Pod is the smallest deployable unit that can be created, scheduled, and managed.

Why this answer

A Pod is the smallest deployable unit in Kubernetes because it encapsulates one or more containers that share the same network namespace, storage volumes, and lifecycle. While containers are the runtime processes, Kubernetes schedules and manages Pods as atomic units, meaning you cannot deploy a container directly without a Pod wrapper.

Exam trap

The trap here is that candidates confuse 'container' as the smallest unit because Docker popularized container-centric thinking, but Kubernetes abstracts containers into Pods as the fundamental scheduling and deployment boundary.

How to eliminate wrong answers

Option B is wrong because a Node is a worker machine (physical or virtual) that hosts Pods, not a deployable unit itself; you deploy Pods onto Nodes. Option C is wrong because a Container is the runtime process inside a Pod, but Kubernetes does not schedule containers individually—they must be part of a Pod. Option D is wrong because a Deployment is a higher-level controller that manages the desired state of ReplicaSets and Pods, but the smallest unit it directly operates on is still the Pod.

341
Matchingmedium

Match each Kubernetes scheduler concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Constraints that attract pods to nodes based on node labels

Mechanism to repel pods from nodes unless they tolerate the taint

Minimum amount of CPU/memory guaranteed to a container

Maximum amount of CPU/memory a container can use

Indicates importance of a pod relative to others for preemption

Why these pairings

These concepts control how pods are scheduled and allocated resources.

342
MCQhard

You need to ensure that a pod runs on a node with SSD storage. How can you achieve this?

A.Use nodeSelector with a label that matches nodes having SSDs
B.Use a taint on nodes without SSDs and a toleration on the pod
C.Use pod anti-affinity to avoid nodes without SSDs
D.Use node affinity with requiredDuringSchedulingIgnoredDuringExecution
AnswerD

Node affinity allows you to specify hard or soft constraints. Using requiredDuringSchedulingIgnoredDuringExecution ensures the pod is only scheduled on nodes with the specified label.

Why this answer

Node affinity is a set of rules used by the scheduler to determine which nodes a pod can be placed on. Labels on nodes can be used to indicate hardware characteristics like SSD storage.

343
MCQeasy

A pod is stuck in 'Pending' state. 'kubectl describe pod' shows '0/4 nodes are available: 4 node(s) had taint {node.kubernetes.io/unreachable: }, that the pod didn't tolerate.' What is the most likely cause?

A.All nodes have disk pressure.
B.All nodes are unreachable or have been cordoned.
C.The pod has a toleration that matches the taint.
D.The nodes do not have enough CPU or memory.
AnswerB

The taint indicates nodes are unreachable.

Why this answer

The taint `node.kubernetes.io/unreachable` is automatically added by the node controller when a node becomes unreachable (e.g., network failure, kubelet stops heartbeating). The error shows all 4 nodes have this taint and the pod has no matching toleration, meaning the scheduler cannot place the pod. This directly indicates all nodes are unreachable or have been cordoned (which also adds the `node.kubernetes.io/unschedulable` taint, but here the specific taint is `unreachable`).

Exam trap

Cisco often tests the distinction between taint types — candidates confuse `unreachable` with resource-based taints like `disk-pressure` or `insufficient-memory`, or assume a toleration would solve the issue when the problem is that no toleration exists.

How to eliminate wrong answers

Option A is wrong because disk pressure is indicated by the taint `node.kubernetes.io/disk-pressure`, not `node.kubernetes.io/unreachable`. Option C is wrong because if the pod had a toleration matching the taint, it would be scheduled despite the taint, but the error explicitly states the pod didn't tolerate it. Option D is wrong because insufficient CPU or memory would show taints like `node.kubernetes.io/insufficient-cpu` or `node.kubernetes.io/insufficient-memory`, not the `unreachable` taint.

344
MCQmedium

Which Kubernetes object should you use to store non-sensitive configuration data that can be consumed by Pods as environment variables or mounted files?

A.Secret
B.PersistentVolume
C.ConfigMap
D.Service
AnswerC

ConfigMap is used to store non-confidential configuration data in key-value pairs.

Why this answer

ConfigMap is the correct Kubernetes object for storing non-sensitive configuration data, such as key-value pairs or configuration files. It is designed to decouple configuration artifacts from container images, allowing Pods to consume this data as environment variables, command-line arguments, or mounted files in a volume. Unlike Secrets, ConfigMaps do not provide encryption or base64 encoding by default, making them suitable only for non-sensitive information.

Exam trap

The trap here is that candidates often confuse ConfigMaps with Secrets, assuming both are interchangeable for configuration, but Cisco tests the distinction that Secrets are for sensitive data and ConfigMaps are for non-sensitive data, and that PersistentVolume is for storage, not configuration.

How to eliminate wrong answers

Option A is wrong because Secret is specifically designed for storing sensitive data (e.g., passwords, tokens, SSH keys) and uses base64 encoding with optional encryption at rest, not for non-sensitive configuration. Option B is wrong because PersistentVolume is an abstraction for storage resources (e.g., NFS, iSCSI) that provides persistent storage volumes to Pods, not for storing configuration data as environment variables or files. Option D is wrong because Service is a networking abstraction that exposes a set of Pods as a network service (e.g., ClusterIP, NodePort), and it cannot store or provide configuration data to Pods.

345
MCQhard

A pod is stuck in the 'Pending' state. Which command would you use to get more details about why the pod cannot be scheduled?

A.kubectl logs <pod-name>
B.kubectl exec -it <pod-name> -- sh
C.kubectl describe pod <pod-name>
D.kubectl get pod <pod-name> -o yaml
AnswerC

Describe shows events and status that indicate scheduling issues.

Why this answer

'kubectl describe pod <pod-name>' shows events and conditions that explain why the pod is pending, such as resource shortages or node selector mismatches.

346
MCQmedium

A pod is stuck in 'Pending' state. Which of the following is a likely cause?

A.The pod's command returned a non-zero exit code
B.The container image is invalid
C.Insufficient CPU or memory resources on any available node
D.The pod's liveness probe failed
AnswerC

If no node can satisfy the pod's resource requests, the scheduler leaves it Pending.

Why this answer

Pending means the scheduler cannot place the pod. Insufficient resources on nodes is a common cause. Option D is correct.

347
MCQmedium

A Deployment named 'web-app' is configured with replicas: 3. You update the container image. Which Kubernetes object directly manages the pods during the rolling update?

A.StatefulSet
B.DaemonSet
C.Job
D.ReplicaSet
AnswerD

Deployment manages ReplicaSets, which in turn manage pods.

Why this answer

The Deployment creates a new ReplicaSet for the new version and scales it up while scaling down the old ReplicaSet. Pods are managed by ReplicaSets, not by the Deployment directly.

348
MCQeasy

Which kubectl command is used to see the logs of a container in a pod?

A.kubectl attach <pod-name>
B.kubectl logs <pod-name>
C.kubectl exec <pod-name> -- cat /var/log/app.log
D.kubectl describe pod <pod-name>
AnswerB

Correct command.

Why this answer

kubectl logs <pod-name> retrieves logs from the container. If the pod has multiple containers, you use -c to specify.

349
MCQhard

A developer reports that a Pod cannot reach another Service in the same namespace via its DNS name. The Service name is 'api'. What is the correct DNS query for a Pod to resolve this Service?

A.api.svc.cluster.local
B.api.namespace.svc.cluster.local
C.api
D.api.default.svc.cluster.local
AnswerC

Within the same namespace, the short name works.

Why this answer

Option C is correct because when a Pod and a Service are in the same namespace, Kubernetes DNS resolves the Service using just the Service name (e.g., 'api'). The DNS search domain configured in the Pod's resolv.conf (e.g., <namespace>.svc.cluster.local) appends the namespace and cluster suffix automatically, so a short query like 'api' resolves correctly without needing the full FQDN.

Exam trap

The trap here is that candidates often assume the full FQDN (e.g., 'api.svc.cluster.local') is always required, forgetting that DNS search domains in the Pod's resolv.conf enable short-name resolution within the same namespace.

How to eliminate wrong answers

Option A is wrong because 'api.svc.cluster.local' omits the namespace, which is required in the full DNS name; the correct FQDN for a cross-namespace query would be 'api.<namespace>.svc.cluster.local'. Option B is wrong because it includes 'namespace' as a literal string instead of the actual namespace name (e.g., 'default'), making it invalid unless the namespace is literally named 'namespace'. Option D is wrong because it assumes the namespace is 'default', which is not guaranteed; the Pod and Service could be in any namespace, and the short name 'api' works only within the same namespace.

350
MCQmedium

Which of the following is true about Kubernetes Namespaces?

A.Namespaces can be nested
B.Namespaces are required for all resources
C.Namespaces provide network isolation by default
D.Namespaces are used to logically isolate resources like pods and services
AnswerD

Namespaces provide a scope for names and can be used for resource quotas.

Why this answer

Namespaces provide a scope for resource names and can be used to divide cluster resources between multiple users.

351
MCQhard

Refer to the exhibit. The nginx Pod is created, but the Pod never becomes Ready. The container starts and runs. What is the most likely reason?

A.The nginx:latest image does not exist.
B.The containerPort is not matching the actual port nginx listens on.
C.The liveness probe is failing because /healthz endpoint does not exist, causing the container to restart.
D.The readiness probe is failing because the root path is not returning 200.
AnswerC

The liveness probe expects /healthz to return 200, but nginx does not serve that path by default, so the probe fails and the container is restarted. This prevents the readiness probe from ever succeeding.

Why this answer

The liveness probe is configured to check the /healthz endpoint, but the default nginx container does not serve a /healthz endpoint. This causes the liveness probe to fail, and Kubernetes restarts the container according to the probe's failure threshold. Since the container keeps restarting, it never reaches the Ready state, even though the container starts and runs initially.

Exam trap

Cisco often tests the distinction between liveness and readiness probes, and the trap here is that candidates assume a failing liveness probe only affects health checks, not the Pod's Ready status, when in fact repeated restarts prevent the Pod from ever becoming Ready.

How to eliminate wrong answers

Option A is wrong because if the nginx:latest image did not exist, the Pod would fail to pull the image and remain in ImagePullBackOff or ErrImagePull state, not start and run. Option B is wrong because the containerPort is a declaration for documentation and network policy; nginx listens on port 80 by default, and even if the port mismatched, the container would still start and become Ready as long as the probes pass. Option D is wrong because the readiness probe is checking the root path (/) which nginx serves by default with a 200 status, so it would pass; the issue is the liveness probe hitting a non-existent /healthz endpoint.

352
MCQeasy

Which of the following is used to logically isolate resources within a Kubernetes cluster?

A.Annotations
B.Selectors
C.Namespaces
D.Labels
AnswerC

Namespaces partition resources within a cluster.

Why this answer

Namespaces provide logical isolation for resources. Option C is correct.

353
Multi-Selectmedium

Which THREE of the following are valid ways to pass configuration data to a container in a pod? (Select 3)

Select 3 answers
A.Modifying the container image after deployment
B.Using a PersistentVolumeClaim to store configuration
C.Setting environment variables directly in the pod spec
D.Using a ConfigMap mounted as a volume
E.Using a Secret as an environment variable
AnswersC, D, E

You can define env vars in the container spec.

Why this answer

ConfigMaps, Secrets, and environment variables defined directly in the pod spec are all legitimate methods to inject configuration.

354
MCQmedium

A user creates a Deployment with 'replicas: 3'. After applying the manifest, only 2 pods are running. What is the most likely cause?

A.The Deployment's YAML had a syntax error
B.There is insufficient node capacity to schedule the third pod
C.The container image name is misspelled
D.The ReplicaSet controller is not running
AnswerB

If nodes lack resources, the scheduler cannot place the pod, leaving it pending.

Why this answer

Resource constraints (insufficient CPU or memory) can prevent the scheduler from placing all pods. Other issues like image pull errors would result in different states.

355
MCQmedium

You want to deploy a stateless web application that should maintain 5 running instances at all times. You need to support rolling updates and rollbacks. Which Kubernetes resource is most appropriate?

A.DaemonSet
B.Deployment
C.ReplicaSet
D.StatefulSet
AnswerB

Deployments manage ReplicaSets and provide rolling updates, rollbacks, and declarative updates for stateless applications.

Why this answer

A Deployment manages a ReplicaSet and provides declarative updates, rolling updates, and rollback capabilities, making it ideal for stateless applications.

356
Multi-Selecthard

Which TWO statements about Namespaces are correct?

Select 2 answers
A.Resource names must be unique within a namespace
B.Namespaces provide network isolation by default
C.All Kubernetes resources are namespaced
D.Namespaces provide a way to divide cluster resources between multiple users
E.You can delete a namespace without affecting the resources inside it
AnswersA, D

Uniqueness is enforced within a namespace.

Why this answer

Namespaces provide logical isolation and scoping for resource names. However, some resources like Nodes and PersistentVolumes are cluster-scoped and cannot be namespaced. Also, namespaces do not provide network isolation by default; NetworkPolicies do.

357
Multi-Selecthard

Which TWO of the following statements about Kubernetes Deployments are correct? (Select 2)

Select 2 answers
A.Deployments support rolling updates and rollbacks
B.Deployments ensure that a copy of a Pod runs on each node in the cluster
C.Deployments are used for batch processing jobs that run to completion
D.Deployments manage the lifecycle of ReplicaSets
E.Deployments provide stable network identities for Pods
AnswersA, D

Deployments provide a declarative update strategy that supports rolling updates and rollbacks.

Why this answer

Options A and D are correct. Deployments manage ReplicaSets and support rolling updates with the ability to rollback. Option B is incorrect because Deployments do not guarantee pod identity; StatefulSets do.

Option C is incorrect because Deployments can run on any node; DaemonSets ensure a pod runs on every node. Option E is incorrect because Deployments are not used for batched workloads; Jobs are.

358
Multi-Selectmedium

Which TWO are valid reasons to use a Namespace in Kubernetes?

Select 2 answers
A.To enforce network policies that restrict traffic between Pods in different Namespaces.
B.To reduce the number of API calls to the control plane.
C.To isolate resources and prevent naming collisions between different teams.
D.To improve application performance by reducing latency.
E.To store environment variables for containers.
AnswersA, C

NetworkPolicies can be scoped to Namespaces to control traffic flow.

Why this answer

Option A is correct because Kubernetes NetworkPolicies are namespace-scoped resources that can restrict ingress and egress traffic between Pods in different Namespaces. By default, all Pods can communicate across Namespaces, but applying a NetworkPolicy with a podSelector and namespaceSelector allows you to enforce isolation. Option C is correct because Namespaces provide a logical boundary for resource names, preventing naming collisions when multiple teams or projects deploy objects with the same name within the same cluster.

Exam trap

CNCF often tests the misconception that Namespaces provide performance benefits or reduce API load, when in reality they are purely a logical isolation and naming boundary with no direct impact on network speed or control plane traffic.

359
Multi-Selectmedium

Which TWO components are part of the Kubernetes control plane? (Choose two.)

Select 2 answers
A.kube-proxy
B.container runtime
C.kube-apiserver
D.kube-controller-manager
E.kubelet
AnswersC, D

Core control plane component.

Why this answer

The control plane includes kube-apiserver, etcd, kube-scheduler, and kube-controller-manager. kubelet and kube-proxy are node components.

360
MCQeasy

What is the smallest deployable unit in Kubernetes that can be created, scheduled, and managed?

A.Pod
B.Node
C.Deployment
D.Container
AnswerA

A Pod represents a single instance of a running process and is the smallest deployable unit.

Why this answer

A Pod is the smallest and simplest unit in the Kubernetes object model.

361
MCQhard

A pod named 'db' in the 'default' namespace cannot connect to another pod named 'cache' in the 'prod' namespace via DNS. The service 'cache-svc' exists in the 'prod' namespace. What DNS name should the 'db' pod use to reach the 'cache-svc' service?

A.cache-svc.default
B.cache-svc.prod
C.cache-svc.prod.svc.cluster.local
D.cache-svc.default.svc.cluster.local
AnswerC

The correct DNS format for a service in another namespace is <svc>.<ns>.svc.cluster.local.

Why this answer

Option C is correct because Kubernetes DNS resolves services across namespaces using the format <service>.<namespace>.svc.cluster.local. Since the 'cache-svc' service is in the 'prod' namespace, the 'db' pod in the 'default' namespace must use 'cache-svc.prod.svc.cluster.local' to reach it. The default cluster domain is 'cluster.local', and the 'svc' subdomain is part of the standard DNS schema for services.

Exam trap

CNCF often tests the misconception that the namespace alone (e.g., 'cache-svc.prod') is sufficient for cross-namespace DNS resolution, but the full 'svc.cluster.local' suffix is mandatory for the cluster DNS to resolve the service correctly.

How to eliminate wrong answers

Option A is wrong because 'cache-svc.default' implies the service is in the 'default' namespace, but the service is actually in 'prod', and it omits the required 'svc.cluster.local' suffix. Option B is wrong because 'cache-svc.prod' is incomplete—it lacks the 'svc.cluster.local' suffix, so it would not be resolved by the cluster DNS server (CoreDNS/kube-dns). Option D is wrong because it places the service in the 'default' namespace (using 'default' instead of 'prod'), which does not match the actual namespace of the service.

362
MCQmedium

You need to create a ConfigMap from a file named 'app.properties'. Which kubectl command should you use?

A.kubectl create configmap my-config --from-literal=app.properties
B.kubectl create configmap my-config --file=app.properties
C.kubectl create configmap my-config --from-env-file=app.properties
D.kubectl create configmap my-config --from-file=app.properties
AnswerD

This creates a ConfigMap with the file contents.

Why this answer

kubectl create configmap supports the --from-file flag to create a ConfigMap from a file. Option A uses an invalid flag; option B has incorrect flag; option D uses --from-env-file which is for loading environment variables from a file, but the question asks for a ConfigMap from a file generally.

363
MCQmedium

Which component of the control plane is responsible for persisting the entire cluster state?

A.kube-scheduler
B.kube-controller-manager
C.etcd
D.kube-apiserver
AnswerC

etcd stores all cluster data.

Why this answer

etcd is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data.

364
MCQeasy

What is the primary purpose of Kubernetes?

A.To orchestrate containers across a cluster of machines
B.To provide a graphical user interface for managing containers
C.To replace Docker as a container runtime
D.To provide a virtual machine management platform
AnswerA

Kubernetes automates container deployment, scaling, and operations.

Why this answer

Kubernetes is a container orchestration platform designed to automate deployment, scaling, and management of containerized applications.

365
MCQhard

An administrator notices that a pod in a Deployment is stuck in CrashLoopBackOff. The pod logs show 'Error: failed to start container: exec: "app": executable file not found in $PATH'. What is the most likely cause?

A.The image registry credentials are missing
B.The liveness probe is misconfigured and killing the container
C.The container is running as a non-root user without proper permissions
D.The container image does not contain the binary specified in the pod's command field
AnswerD

The exec error shows the binary is missing, likely due to a typo or wrong image.

Why this answer

The error 'exec: "app": executable file not found in $PATH' indicates that the container image does not contain the binary or script specified in the pod's command field (e.g., `command: ["app"]`). This typically happens when the image is built without the expected executable, the command path is incorrect, or the image tag points to a different version. The container fails to start because the runtime cannot locate the entrypoint.

Exam trap

CNCF often tests the distinction between image pull errors (ImagePullBackOff) and container execution errors (CrashLoopBackOff), so candidates may confuse missing credentials with a missing executable in the image.

How to eliminate wrong answers

Option A is wrong because missing registry credentials would cause an ImagePullBackOff, not a CrashLoopBackOff with an exec error in logs. Option B is wrong because a misconfigured liveness probe would cause the container to be restarted after it starts, but the exec error occurs before the container can run, so the probe never executes. Option C is wrong because running as a non-root user without permissions would produce a 'permission denied' error, not an 'executable file not found' error.

366
Multi-Selectmedium

Which TWO of the following are functions of the kube-controller-manager?

Select 2 answers
A.Serving the Kubernetes API
B.Implementing network rules for Services
C.Scheduling pods to nodes
D.Running the node controller to monitor node health
E.Managing ReplicaSets to ensure the desired number of pods are running
AnswersD, E

The node controller periodically checks node status and responds to node failures.

Why this answer

The kube-controller-manager is a core control plane component that runs controller processes, including the node controller, which monitors node health by checking the NodeStatus and NodeLease objects. If a node becomes unreachable (e.g., the node controller fails to receive a heartbeat within the --node-monitor-grace-period, default 40 seconds), it marks the node as Unhealthy and eventually taints it to trigger pod eviction. This makes option D correct because the node controller is a built-in controller within the kube-controller-manager.

Exam trap

CNCF often tests the distinction between control plane components by listing overlapping responsibilities, so the trap here is confusing the kube-controller-manager's role in managing controllers (like the node controller and ReplicaSet controller) with the kube-scheduler's scheduling function or kube-proxy's network rule implementation.

367
MCQhard

A Deployment named 'web-app' has been running with 3 replicas. After a configuration change, you notice that only 2 pods are ready. You run 'kubectl describe deployment web-app' and see 'Replicas: 3 desired | 3 total | 3 up-to-date | 2 available'. What is the most likely cause?

A.The Deployment's resource requests exceed node capacity
B.The Service selector does not match the pod labels
C.The pods have a failing readiness probe
D.The kubelet on one node is not functioning
AnswerC

A failing readiness probe prevents the pod from being marked as available, while the pod itself is running.

Why this answer

The deployment controller uses a readiness probe to determine if a pod is ready. If the probe fails, the pod is not marked as available, even if it is running.

368
Multi-Selecthard

A user reports that a web application is not accessible via its Service. The Service is of type ClusterIP. Which TWO steps should be taken to troubleshoot?

Select 2 answers
A.Verify that the kube-proxy is running on the node
B.Check that the container runtime is working
C.Check the kube-apiserver status
D.Check if the Service has any endpoints using 'kubectl get endpoints'
E.Restart all nodes in the cluster
AnswersA, D

kube-proxy is responsible for implementing the Service abstraction via iptables or IPVS.

Why this answer

Option A is correct because kube-proxy is the component responsible for implementing the ClusterIP Service abstraction by managing iptables or IPVS rules on each node. If kube-proxy is not running, traffic destined for the Service's ClusterIP will not be forwarded to the backend pods, making the Service unreachable from within the cluster.

Exam trap

The trap here is that candidates often assume a Service is always reachable if the pods are running, forgetting that kube-proxy must be healthy and that the Service must have endpoints for traffic to be forwarded.

369
MCQmedium

You have a Namespace 'team-a' and you want to see all Pods in that namespace, including those that are not ready. Which command should you use?

A.kubectl get pods -n team-a
B.kubectl get pods -n team-a -l app=myapp
C.kubectl get pods --namespace=team-a --field-selector=status.phase!=Running
D.kubectl get pods --all-namespaces
AnswerA

This command lists all pods in the specified namespace.

Why this answer

kubectl get pods -n team-a shows all pods in the namespace, regardless of status. The default output includes pods in any state. Option B ignores the namespace; option C shows pods from all namespaces; option D only shows pods with a specific label.

370
MCQhard

You create a Deployment with replicas: 3. You then scale the Deployment to 5 replicas. What is the order of operations that the Deployment controller follows?

A.It creates a new ReplicaSet with 5 replicas and deletes the old one
B.It directly creates 2 new pods without using a ReplicaSet
C.It updates the existing ReplicaSet's replica count to 5, and the ReplicaSet creates the new pods
D.It creates 2 new pods immediately without modifying the existing ReplicaSet
AnswerC

The Deployment controller updates the ReplicaSet's .spec.replicas, and the ReplicaSet controller creates the pods.

Why this answer

When you scale a Deployment, the Deployment controller updates the replica count on the existing ReplicaSet that matches the pod template. The ReplicaSet controller then observes the desired count and creates the additional pods to reach the new target. This ensures that the Deployment's rollout history and rollback capabilities remain intact.

Exam trap

The trap here is that candidates often confuse scaling with a rolling update, assuming a new ReplicaSet is created, when in fact scaling only modifies the existing ReplicaSet's replica count without changing the pod template.

How to eliminate wrong answers

Option A is wrong because the Deployment does not create a new ReplicaSet when scaling; it reuses the existing one, and deleting the old ReplicaSet would lose the rollout history. Option B is wrong because the Deployment controller never creates pods directly; it always delegates pod creation to a ReplicaSet to maintain declarative state and ownership. Option D is wrong because the Deployment controller modifies the ReplicaSet's replica count, and the ReplicaSet creates the pods; it does not create pods independently of the ReplicaSet.

371
MCQeasy

Which Kubernetes control plane component acts as the entry point for all administrative tasks and provides the REST API?

A.kube-scheduler
B.etcd
C.kube-controller-manager
D.kube-apiserver
AnswerD

The API server exposes the Kubernetes API and handles all administrative requests.

Why this answer

The kube-apiserver is the front-end of the Kubernetes control plane, exposing the Kubernetes REST API. All administrative tasks, such as creating pods, scaling deployments, and querying cluster state, are performed by sending HTTP requests to this component. It validates and processes these requests before storing the resulting state in etcd.

Exam trap

CNCF often tests the misconception that etcd is the entry point because it stores cluster data, but the trap is that etcd is a backend datastore with no direct REST API for administrative tasks—the kube-apiserver is the sole gateway for all client interactions.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is responsible for assigning pods to nodes based on resource availability and scheduling policies, not for handling administrative API requests. Option B is wrong because etcd is a distributed key-value store used for cluster state persistence, not an API entry point; it is accessed internally by the API server. Option C is wrong because kube-controller-manager runs controller processes (e.g., ReplicaSet controller, Node controller) that watch the API server for desired state changes, but it does not serve as the REST API endpoint.

372
MCQmedium

You need to provide configuration data as environment variables to a pod, but the data is not sensitive. Which object should you use?

A.ConfigMap
B.Secret
C.ServiceAccount
D.PersistentVolume
AnswerA

ConfigMap is the correct choice for non-sensitive configuration.

Why this answer

ConfigMap is designed to hold non-sensitive configuration data that can be injected into containers as env vars or files.

373
MCQmedium

You have a Deployment that must run exactly one replica on each node in the cluster for logging purposes. Which Kubernetes resource should you use?

A.Job
B.Deployment
C.StatefulSet
D.DaemonSet
AnswerD

DaemonSet ensures one pod per node.

Why this answer

DaemonSet ensures that a copy of a pod runs on each node (or a subset), which is ideal for daemons like log collectors.

374
MCQmedium

Which command creates a Deployment named 'nginx-deployment' from the image 'nginx:1.25' and exposes it on port 80?

A.kubectl create deployment nginx-deployment --image=nginx:1.25 --port=80
B.kubectl run nginx-deployment --image=nginx:1.25 --port=80
C.kubectl apply -f nginx-deployment.yaml
D.kubectl expose deployment nginx-deployment --type=ClusterIP
AnswerA

This creates a Deployment with the specified image and port exposure.

Why this answer

The 'kubectl create deployment' command creates a Deployment, and '--expose' also creates a Service.

375
Multi-Selecthard

Which THREE statements about Kubernetes Services are correct?

Select 3 answers
A.A Service provides a stable IP address and DNS name for a set of Pods.
B.Services use label selectors to identify the target Pods.
C.A Service of type LoadBalancer can be used to expose an application externally.
D.A Service can only route traffic to Pods within the same namespace.
E.The default Service type is NodePort.
AnswersA, B, C

Services provide stable endpoints that decouple clients from individual Pod IPs.

Why this answer

A is correct because a Kubernetes Service provides a stable virtual IP address and a DNS name (via CoreDNS) that remains constant even as the underlying Pods are created, destroyed, or scaled. This decouples clients from the ephemeral nature of Pod IPs, ensuring reliable connectivity.

Exam trap

CNCF often tests the misconception that Services are namespace-scoped for routing, when in fact only the Service object itself is namespaced, but it can target Pods across namespaces if the selector matches.

← PreviousPage 5 of 6 · 436 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Kcna Kubernetes Fundamentals questions.