




































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The Certified Kubernetes Application Developer CKAD Ultimate Exam is an advanced preparation solution tailored for developers and DevOps professionals building cloud-native applications using Kubernetes. This exam guide focuses on application design, deployment, configuration, observability, scaling, networking, and troubleshooting within Kubernetes environments. Candidates learn how to create containerized applications, manage configuration using ConfigMaps and Secrets, implement probes, optimize workloads, and automate deployment pipelines. The Ultimate Exam emphasizes practical application development skills and provides realistic coding scenarios, Kubernetes YAML exercises, and developer-focused problem-solving techniques that support success in modern container orchestration environments and CKAD certification preparation.
Typology: Exams
1 / 76
This page cannot be seen from the preview
Don't miss anything!





































































Question 1. Which Dockerfile instruction is most effective for reducing the final image size in a multi- stage build? A) FROM B) COPY --from C) RUN rm - rf D) ENV Answer: B Explanation: Multi-stage builds allow you to use a large image for building an application and then use COPY --from to move only the compiled artifacts into a much smaller base image, effectively minimizing the final footprint. Question 2. When creating a Job in Kubernetes, what happens to the Pods after the Job completes successfully? A) They are immediately deleted. B) They stay in a 'Running' state. C) They remain in a 'Succeeded' state until manually deleted. D) They are moved to a different node. Answer: C Explanation: Kubernetes keeps completed Pods in the 'Succeeded' state so that you can inspect logs and exit codes. They are not automatically deleted unless a TTL controller or manual intervention is used. Question 3. Which multi-container design pattern is used to transform the output of a primary container to meet a standardized format? A) Sidecar B) Ambassador C) Adapter D) Init Container Explanation: The Adapter pattern is specifically designed to standardize or transform the output (like logs or metrics) of a legacy application to match the expectations of a centralized monitoring system. Answer: C
Question 4. An Init Container must complete its execution before which of the following happens? A) The Pod is scheduled to a node. B) The main application container starts. C) The Service starts routing traffic. D) The Volumes are mounted. Answer: B Explanation: Init Containers run to completion before the main app containers start. If an Init Container fails, Kubernetes restarts the Pod until the Init Container succeeds. Question 5. Which volume type is best suited for sharing temporary data between two containers residing in the same Pod? A) hostPath B) persistentVolumeClaim C) emptyDir D) nfs Answer: C Explanation: An emptyDir volume is created when a Pod is assigned to a node and exists as long as that Pod is running on that node. It is the standard way for containers in the same Pod to share transient data. Question 6. To implement a Blue/Green deployment strategy using standard Kubernetes objects, which action is typically taken? A) Update the 'image' field in the existing Deployment. B) Create a second Deployment and update the Service selector to point to the new labels. C) Use a Horizontal Pod Autoscaler. D) Set maxSurge to 100%. Answer: B Explanation: Blue/Green is achieved by having two identical environments (Deployments). Switching traffic involves updating the Service's label selector from the old version (Blue) to the new version (Green).
B) templates/service.yaml C) values.yaml D) requirements.yaml Answer: C Explanation: The values.yaml file provides the default configuration for the templates in a Helm chart. Users can override these during installation using the --set flag or a custom values file. Question 11. Which Kustomize feature allows you to add a common prefix to all resource names in a specific environment? A) commonLabels B) namePrefix C) patchesStrategicMerge D) bases Answer: B Explanation: The namePrefix field in a kustomization.yaml file automatically prepends a string to the names of all resources managed by that Kustomize configuration. Question 12. If a Liveness probe fails, what action does Kubernetes take? A) It stops sending traffic to the Pod. B) It restarts the container. C) It deletes the Deployment. D) It triggers a Horizontal Pod Autoscaler. Answer: B Explanation: The Liveness probe determines if a container is alive. If it fails, the kubelet kills the container, and it is subjected to its restart policy. Question 13. Which probe should be used to ensure a Pod does not receive traffic until its internal cache is fully loaded? A) Liveness probe B) Readiness probe
C) Startup probe D) TCP probe Answer: B Explanation: The Readiness probe determines if a container is ready to service requests. If it fails, the endpoints controller removes the Pod's IP from all Services. Question 14. What is the primary purpose of a Startup probe? A) To restart containers that have hung. B) To signal the HPA to scale up. C) To disable liveness and readiness checks until the application has finished its initial start sequence. D) To check the status of the Node. Answer: C Explanation: Startup probes are for slow-starting containers. They disable liveness and readiness probes until the startup succeeds, preventing the kubelet from killing the container before it is fully up. Question 15. Which command is used to view the real-time resource consumption (CPU/Memory) of Pods in a namespace? A) kubectl describe pods B) kubectl logs C) kubectl top pod D) kubectl get pods - o yaml Answer: C Explanation: kubectl top pod retrieves metrics from the Metrics Server to show current CPU and Memory usage for Pods. Question 16. How can you view logs for a container that has already crashed and restarted? A) kubectl logs --tail= B) kubectl logs --previous C) kubectl describe pod D) kubectl get events
Explanation: allowPrivilegeEscalation: false ensures that no child process of a container can gain more privileges than the container itself. Question 20. What does the 'Requests' field in a container's resource requirements represent? A) The maximum amount of CPU/Memory a container can use. B) The amount of CPU/Memory the kubelet guarantees for the container. C) The amount of disk space needed. D) The number of replicas required. Answer: B Explanation: 'Requests' are the minimum resources the Kubernetes scheduler uses to find a home for the Pod. The node guarantees this amount will be available to the container. Question 21. Which Service type exposes the service on a static port on each Node's IP? A) ClusterIP B) NodePort C) LoadBalancer D) ExternalName Answer: B Explanation: NodePort builds on top of ClusterIP by exposing the service on a specific port (usually 30000 - 32767) on every node in the cluster. Question 22. Which resource is used to manage external access to Services in a cluster, typically providing HTTP load balancing? A) NetworkPolicy B) Ingress C) EndpointSlice D) Gateway Answer: B Explanation: Ingress is an API object that manages external access to the services in a cluster, typically via HTTP, providing features like SSL termination and name-based virtual hosting.
Question 23. What is the purpose of a NetworkPolicy? A) To assign IP addresses to Pods. B) To control the flow of traffic at the IP block or port level (L3/L4). C) To manage DNS entries for Pods. D) To encrypt data in transit. Answer: B Explanation: NetworkPolicy allows you to specify how groups of Pods are allowed to communicate with each other and other network endpoints at the network layer. Question 24. In Kubernetes, which component is responsible for resolving Service names to Cluster IPs? A) Kube-Proxy B) CoreDNS C) Etcd D) Kube-Scheduler Answer: B Explanation: CoreDNS is the standard cluster DNS server that schedules Pods to resolve service names (e.g., my-svc.my-namespace.svc.cluster.local) to their corresponding Cluster IPs. Question 25. Which multi-container pattern involves a container that acts as a proxy for the main application to connect to external databases? A) Sidecar B) Adapter C) Ambassador D) Init Container Answer: C Explanation: The Ambassador pattern uses a container to act as a proxy for the main application, hiding the complexity of connecting to external services (like a sharded database). Question 26. How do you define a CronJob to run every minute?
B) rollbackLimit C) progressDeadlineSeconds D) historyLimit Answer: A Explanation: revisionHistoryLimit specifies the number of old ReplicaSets to retain. Keeping these allows you to roll back to previous versions of your application. Question 30. How do you inject a specific ConfigMap key as an environment variable in a container? A) valueFrom: { configMapKeyRef: { ... } } B) valueFrom: { secretKeyRef: { ... } } C) envFrom: { configMapRef: { ... } } D) volumeMounts: { ... } Answer: A Explanation: configMapKeyRef is used within the env section of a container spec to map a specific key from a ConfigMap to an environment variable. Question 31. Which command is used to scale a deployment named 'worker' to 5 replicas? A) kubectl scale deployment worker --replicas= B) kubectl edit deployment worker C) kubectl update deployment worker 5 D) kubectl autoscale deployment worker --min= Answer: A Explanation: kubectl scale is the standard imperative command to change the number of replicas for a controller like a Deployment or StatefulSet. Question 32. What is the purpose of the 'maxSurge' parameter in a RollingUpdate strategy? A) The maximum number of Pods that can be unavailable. B) The maximum number of Pods that can be created above the desired number of Pods. C) The maximum number of nodes in the cluster.
D) The maximum CPU burst allowed. Answer: B Explanation: maxSurge defines how many additional Pod instances can be created beyond the desired replica count during an update. Question 33. When a PersistentVolumeClaim (PVC) is deleted, what happens to the underlying PersistentVolume (PV) if the reclaim policy is 'Retain'? A) The PV is automatically deleted. B) The PV is scrubbed and made available again. C) The PV remains in the cluster but is marked 'Released' and cannot be reused yet. D) The PV is formatted. Answer: C Explanation: The 'Retain' policy keeps the PV and its data in the cluster after the PVC is deleted. An administrator must manually clean up the data and delete/recreate the PV to reuse it. Question 34. Which Kubernetes resource is best for running a database that requires a stable network identity and persistent storage? A) Deployment B) DaemonSet C) StatefulSet D) Job Answer: C Explanation: StatefulSets provide stable, unique network identifiers and persistent storage that persists across Pod rescheduling, making them ideal for stateful applications like databases. Question 35. To troubleshoot a Pod that won't start, which command provides a list of events including image pull failures or scheduling issues? A) kubectl logs B) kubectl get pods C) kubectl describe pod
Explanation: NetworkPolicies use a podSelector (label-based) to identify the group of Pods the policy should govern. Question 39. Which field in an Ingress resource specifies the URL path to match? A) host B) path C) serviceName D) backend Answer: B Explanation: The path field under http.paths defines the URI prefix or regex used to route incoming requests to a specific backend service. Question 40. To restrict a Pod to run only on nodes labeled 'disktype=ssd', which field should you use in the Pod spec? A) nodeName B) nodeSelector C) affinity D) tolerations Answer: B Explanation: nodeSelector is the simplest way to constrain Pods to nodes with particular labels. The node must have the exact label specified. Question 41. What is the role of a ServiceAccount in Kubernetes? A) To manage user passwords. B) To provide an identity for processes running in a Pod. C) To define billing accounts for the cloud provider. D) To manage node SSH keys. Answer: B Explanation: ServiceAccounts provide an identity for Pods. This identity allows the Pod to authenticate with the Kubernetes API server to perform actions governed by RBAC.
Question 42. Which Kustomize file lists the source resources (bases) to be modified? A) kustomization.yaml B) patch.yaml C) base.yaml D) overlay.yaml Answer: A Explanation: kustomization.yaml is the configuration file for Kustomize. It uses the resources field to point to the base manifests it will modify. Question 43. Which command creates a ConfigMap from a literal value? A) kubectl create configmap my-config --from-file=config.txt B) kubectl create configmap my-config --from-literal=key=value C) kubectl apply configmap my-config --data=key=value D) kubectl run configmap my-config --env=key=value Answer: B Explanation: The --from-literal flag allows you to define key-value pairs directly on the command line when creating a ConfigMap. Question 44. What happens if you define a CPU 'Limit' but no 'Request'? A) The request defaults to zero. B) The request is automatically set to equal the limit. C) The Pod will not be scheduled. D) The limit is ignored. Answer: B Explanation: If a limit is specified but no request is defined, Kubernetes automatically sets the request to be equal to the limit. Question 45. Which of these is a valid NetworkPolicy 'Egress' rule?
D) Environment Variable literal Answer: B Explanation: The Downward API allows containers to consume information about their environment (like Pod name, IP, or namespace) without using the Kubernetes client or API. Question 49. Which resource ensures that a copy of a Pod is running on every node (or a subset of nodes) in the cluster? A) Deployment B) StatefulSet C) DaemonSet D) ReplicaSet Answer: C Explanation: A DaemonSet ensures that all (or some) Nodes run a copy of a Pod. This is commonly used for log collectors and monitoring agents. Question 50. How can you find which API version to use for a specific resource, like 'Ingress'? A) kubectl api-resources B) kubectl explain ingress C) kubectl version D) kubectl get ingress - v Answer: B Explanation: kubectl explain provides the definition of the resource and its supported API version. Question 51. What is the effect of the 'readOnlyRootFilesystem: true' security context? A) Users cannot log into the container. B) The container cannot write to any directory except explicitly mounted volumes. C) The container cannot read files from the host. D) The container image becomes immutable. Answer: B
Explanation: Setting readOnlyRootFilesystem: true mounts the container's root filesystem as read-only, which is a security best practice to prevent attackers from installing tools or modifying the app. Question 52. Which command is used to update the image of a Deployment named 'myapp' to 'nginx:1.19.1'? A) kubectl set image deployment/myapp containername=nginx:1.19. B) kubectl update deployment myapp --image=nginx:1.19. C) kubectl edit deployment myapp --set image=nginx:1.19. D) kubectl rollout image deployment/myapp nginx:1.19. Answer: A Explanation: kubectl set image is the imperative way to update the container image in a deployment, triggering a rolling update. Question 53. If you want to delete a Pod immediately without waiting for the graceful termination period, which flag do you use? A) --now B) --force --grace-period= C) --immediate D) --kill Answer: B Explanation: Using --force --grace-period=0 bypasses the standard shutdown signal and deletes the object from the API server immediately. Question 54. What is the purpose of the 'Selector' in a Service? A) To choose which Node to run on. B) To identify which Pods should receive traffic from the Service. C) To select the API version. D) To choose the load balancing algorithm. Answer: B
Question 58. In a NetworkPolicy, what does an empty 'podSelector: {}' mean? A) It selects no Pods. B) It selects all Pods in the namespace. C) It is invalid. D) It selects only Pods with no labels. Answer: B Explanation: An empty podSelector in a NetworkPolicy selects all pods in the namespace where the NetworkPolicy is defined. Question 59. What is a 'Custom Resource Definition' (CRD)? A) A way to fix bugs in Kubernetes. B) A resource that allows you to define your own custom API objects in Kubernetes. C) A configuration file for Docker. D) A tool for managing cloud billing. Answer: B Explanation: CRDs allow users to extend the Kubernetes API with their own custom objects, which behave like native resources (e.g., they can be managed via kubectl). Question 60. To debug a running Pod by seeing its environment variables, which command is best? A) kubectl logs B) kubectl exec -- env C) kubectl describe pod D) kubectl get pod - o json Answer: B Explanation: Running the env command via kubectl exec displays the environment variables currently active inside the running container. Question 61. Which Kubernetes primitive is used to ensure a specific number of Pod replicas are running at any given time?
A) Pod B) ReplicaSet C) Service D) ConfigMap Answer: B Explanation: A ReplicaSet's primary purpose is to maintain a stable set of replica Pods running at any given time, though it is usually managed via a Deployment. Question 62. Which command is used to apply a Kustomize configuration in the current directory? A) kubectl apply - f. B) kubectl apply - k. C) kubectl kustomize apply D) kubectl build. | kubectl apply Answer: B Explanation: The - k flag tells kubectl to process the directory as a Kustomize overlay. Question 63. What is the main benefit of using a 'Headless' Service (ClusterIP: None)? A) It provides a single IP for load balancing. B) It allows for direct Pod-to-Pod communication via DNS without a proxy IP. C) It makes the service accessible from the internet. D) It increases security by hiding the IP. Answer: B Explanation: Headless services do not have a Cluster IP. Instead, DNS queries for the service name return the list of all individual Pod IPs, which is useful for stateful applications like databases. Question 64. Which field in a Pod spec is used to specify a user ID for the container process? A) user: 1000 B) securityContext.runAsUser: 1000 C) principal: 1000