CKAD Certified Kubernetes Application Developer Practice Exam, Exams of Technology

A task-based, Kubernetes CLI-intensive exam covering Pod design, Deployments, Services, ConfigMaps, Secrets, volumes, probes, multi-container patterns, Helm, and application debugging. It evaluates the ability to architect, containerize, deploy, monitor, and troubleshoot Kubernetes-native applications. Realistic timed scenarios replicate the official CKAD exam environment with YAML creation and cluster-level debugging.

Typology: Exams

2025/2026

Available from 01/11/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 94

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CKAD Certified Kubernetes Application
Developer Practice Exam
**Question 1.** Which Dockerfile instruction is used to set the default command that runs
when a container starts?
A) FROM
B) ENTRYPOINT
C) CMD
D) RUN
Answer: C
Explanation: CMD defines the default command executed when the container launches,
whereas ENTRYPOINT sets the executable and CMD provides default arguments.
**Question 2.** In a multistage Docker build, what is the primary benefit of using an
intermediate stage?
A) Reducing image size by copying only needed artifacts
B) Enabling automatic image updates
C) Allowing multiple containers to share the same base image
D) Providing builtin health checks
Answer: A
Explanation: Multistage builds let you copy only the final binaries from earlier stages,
producing a lean production image without build tools.
**Question 3.** Which command tags an image with a new repository name and tag?
A) docker build -t repo/name:tag .
B) docker push repo/name:tag
C) docker tag source:tag repo/name:tag
D) docker commit source repo/name:tag
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e

Partial preview of the text

Download CKAD Certified Kubernetes Application Developer Practice Exam and more Exams Technology in PDF only on Docsity!

Developer Practice Exam

Question 1. Which Dockerfile instruction is used to set the default command that runs when a container starts? A) FROM B) ENTRYPOINT C) CMD D) RUN Answer: C Explanation: CMD defines the default command executed when the container launches, whereas ENTRYPOINT sets the executable and CMD provides default arguments. Question 2. In a multi‑stage Docker build, what is the primary benefit of using an intermediate stage? A) Reducing image size by copying only needed artifacts B) Enabling automatic image updates C) Allowing multiple containers to share the same base image D) Providing built‑in health checks Answer: A Explanation: Multi‑stage builds let you copy only the final binaries from earlier stages, producing a lean production image without build tools. Question 3. Which command tags an image with a new repository name and tag? A) docker build - t repo/name:tag. B) docker push repo/name:tag C) docker tag source:tag repo/name:tag D) docker commit source repo/name:tag Answer: C

Developer Practice Exam

Explanation: docker tag creates a new tag for an existing local image, allowing it to be pushed to a different repository. Question 4. How can you view the layers and metadata of a local Docker image? A) docker inspect image:tag B) docker history image:tag C) docker logs image:tag D) docker diff image:tag Answer: B Explanation: docker history displays each layer’s size, creation command, and metadata for an image. Question 5. Which field in a PodSpec defines the process that runs as PID 1 inside the container? A) command B) args C) entrypoint D) cmd Answer: A Explanation: The command field (equivalent to Docker’s ENTRYPOINT) specifies the executable that becomes PID 1. Question 6. Which Kubernetes workload is best suited for a stateless web application that needs automatic scaling? A) DaemonSet B) StatefulSet

Developer Practice Exam

Question 9. Which workload is appropriate for a database that requires stable network identity and ordered scaling? A) Deployment B) DaemonSet C) StatefulSet D) Job Answer: C Explanation: StatefulSets provide stable pod names, persistent storage, and ordered rolling updates, ideal for databases. Question 10. Which Kubernetes object runs a task to completion and then terminates? A) Deployment B) DaemonSet C) Job D) CronJob Answer: C Explanation: Jobs create pods that run until the specified completion criteria are met, then exit. Question 11. How do you schedule a recurring task that runs every night at 02:00 UTC? A) Create a Deployment with a sleep command B) Use a CronJob with schedule "0 2 * * *" C) Use a Job with backoffLimit set to 1 D) Use a ConfigMap with a cron expression Answer: B Explanation: CronJob resources accept standard cron syntax; "0 2 * * *" runs daily at 02:00 UTC.

Developer Practice Exam

Question 12. Which pattern adds a helper container to a pod to ship logs to an external system? A) Init container pattern B) Sidecar pattern C) Adapter pattern D) Ambassador pattern Answer: B Explanation: The sidecar pattern runs a secondary container alongside the main app to augment functionality, such as log shipping. Question 13. What is the purpose of an init container? A) Provide a persistent storage volume B) Run a task that must complete before other containers start C) Serve as a reverse proxy for the main container D) Continuously monitor health of the pod Answer: B Explanation: Init containers execute sequentially before any app containers start, ensuring prerequisite setup. Question 14. Which pattern normalizes output from an application container before it is consumed by another service? A) Sidecar pattern B) Init container pattern C) Adapter pattern D) Ambassador pattern

Developer Practice Exam

B) ConfigMap C) PersistentVolume D) ServiceAccount Answer: B Explanation: ConfigMaps hold configuration data and can be injected as env vars or mounted as files. Question 18. How can you create a ConfigMap from a directory of configuration files? A) kubectl create configmap mycm --from-file=/path/to/dir B) kubectl apply - f mycm.yaml C) kubectl create secret generic mycm --from-dir=/path/to/dir D) kubectl edit configmap mycm Answer: A Explanation: --from-file can accept a directory, creating key/value pairs for each file. Question 19. When a ConfigMap is updated, how do pods that consume it via volume mounts see the new data? A) They automatically reload within 30 seconds B) They need to be restarted to see changes C) The kubelet updates the mounted files in place, visible immediately D) Changes are not reflected until a new ConfigMap is created Answer: C Explanation: When a ConfigMap is mounted as a volume, the kubelet updates the files on the node, and containers see the change without restart.

Developer Practice Exam

Question 20. Which of the following is required to create a TLS Secret for an Ingress controller? A) base64‑encoded certificate and key fields in a yaml manifest B) Plain‑text certificate and key fields in a yaml manifest C) Only the certificate field, the key is generated automatically D) A Docker image containing the TLS files Answer: A Explanation: TLS Secrets must contain tls.crt and tls.key, both base64‑encoded. Question 21. What is the default QoS class for a pod that has no resource requests or limits defined? A) Guaranteed B) Burstable C) BestEffort D) Critical Answer: C Explanation: Pods without any requests or limits are assigned the BestEffort QoS class. Question 22. Which field defines the minimum amount of CPU a container is guaranteed to receive? A) limits.cpu B) requests.cpu C) resources.cpu D) quota.cpu Answer: B Explanation: resources.requests.cpu specifies the guaranteed CPU reservation for scheduling.

Developer Practice Exam

Explanation: runAsUser sets the UID the container process runs as, enabling non‑root execution. Question 26. What capability must be dropped to prevent a container from binding to privileged ports (<1024) when running as root? A) NET_RAW B) SYS_ADMIN C) CHOWN D) CAP_NET_BIND_SERVICE Answer: D Explanation: CAP_NET_BIND_SERVICE allows binding to low ports; dropping it prevents that privilege. Question 27. Which field in a PodSpec assigns a ServiceAccount to the pod? A) serviceAccountName B) accountName C) securityContext.serviceAccount D) metadata.serviceAccount Answer: A Explanation: serviceAccountName links the pod to a ServiceAccount, providing its token and permissions. Question 28. How can a pod obtain read‑only access to a secret as a file? A) Mount the secret as a volume with readOnly: true B) Set the secret’s immutable field to true C) Use envFrom with secretRef

Developer Practice Exam

D) Encode the secret in base64 and set as env var Answer: A Explanation: Mounting a secret as a volume provides files; the volume can be marked readOnly to prevent modification. Question 29. Which resource type allows you to define a new kind of object, such as “Foo”, that can be managed with kubectl? A) CustomResourceDefinition (CRD) B) ConfigMap C) APIService D) AdmissionWebhook Answer: A Explanation: CRDs extend the Kubernetes API with user‑defined resource types. Question 30. When using Helm, what is the term for a packaged collection of Kubernetes manifests? A) Release B) Chart C) Repository D) Module Answer: B Explanation: A Helm Chart bundles templates, values, and metadata for deployment. Question 31. Which Helm command upgrades an existing release named “myapp” to the latest chart version? A) helm install myapp ./mychart

Developer Practice Exam

A) It does not allocate a virtual IP (ClusterIP) B) It automatically creates an external load balancer C) It only works with StatefulSets D) It provides DNS entries for each pod IP Answer: A Explanation: Setting clusterIP: None creates a headless Service, allowing direct DNS resolution to pod IPs. Question 35. Which label selector matches pods that have the label app=frontend and tier=prod? A) app=frontend,tier=prod B) app in (frontend) && tier in (prod) C) app=frontend && tier=prod D) app=frontend,tier!=prod Answer: A Explanation: Comma‑separated equality-based selectors are ANDed together. Question 36. What is the default behavior of a pod when no NetworkPolicy applies to its namespace? A) All ingress and egress traffic is denied B) All ingress is allowed but egress is denied C) All traffic is allowed D) Only egress is allowed Answer: C Explanation: By default, Kubernetes allows all network traffic; policies are additive and restrictive only when present.

Developer Practice Exam

Question 37. Which NetworkPolicy spec field controls outbound traffic from selected pods? A) ingress B) egress C) podSelector D) policyTypes Answer: B Explanation: The egress field defines rules for outbound connections. Question 38. Which probe type is ideal for an application that takes several minutes to start before it becomes ready? A) LivenessProbe B) ReadinessProbe C) StartupProbe D) HealthProbe Answer: C Explanation: startupProbe delays other probes until the container signals it has started, preventing premature restarts. Question 39. Which probe handler would you use to check that a web server returns HTTP 200 on /healthz? A) exec B) httpGet C) tcpSocket D) grpc Answer: B

Developer Practice Exam

D) kubectl metrics pods Answer: A Explanation: kubectl top pods uses the Metrics Server to display current resource consumption. Question 43. Which command displays detailed information, including events, for a specific deployment? A) kubectl get deployment myapp - o yaml B) kubectl describe deployment myapp C) kubectl logs deployment/myapp D) kubectl edit deployment myapp Answer: B Explanation: kubectl describe shows the deployment’s status, spec, and recent events. Question 44. Which kubectl subcommand creates a temporary debugging container in a running pod? A) kubectl exec - it pod-name -- /bin/sh B) kubectl debug pod/pod-name --image=busybox --target=container-name C) kubectl attach pod-name - c container-name D) kubectl run debug --image=busybox --restart=Never Answer: B Explanation: kubectl debug injects an ephemereal container for troubleshooting. Question 45. A pod is stuck in ImagePullBackOff. Which action is most likely to resolve the issue? A) Delete the pod; it will restart automatically

Developer Practice Exam

B) Increase the pod’s memory limit C) Create or update an imagePullSecret in the namespace and reference it in the pod spec D) Add a readinessProbe to the pod Answer: C Explanation: ImagePullBackOff indicates the image cannot be retrieved; an imagePullSecret provides credentials for private registries. Question 46. Which API version should be used for a Deployment manifest in Kubernetes 1.22 and later? A) apps/v1beta B) extensions/v1beta C) apps/v D) apps/v1beta Answer: C Explanation: apps/v1 is the stable version for Deployments; older beta versions were removed in 1.22. Question 47. Which field in a Deployment’s spec controls the maximum number of pods that can be unavailable during a rolling update? A) maxSurge B) maxUnavailable C) minReadySeconds D) revisionHistoryLimit Answer: B Explanation: strategy.rollingUpdate.maxUnavailable defines how many pods may be down during the update.

Developer Practice Exam

Explanation: Updating a Service’s selector to point to the new set of pods shifts traffic without downtime. Question 51. Which Ingress controller annotation enables TLS termination using a secret named “tls-secret”? A) nginx.ingress.kubernetes.io/ssl-redirect: "true" B) kubernetes.io/tls-acme: "true" C) nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" D) nginx.ingress.kubernetes.io/secure-backends: "true" Answer: A (with the TLS secret defined in the spec.tls block) Explanation: The TLS secret is referenced in the Ingress tls section; the annotation ssl-redirect ensures HTTP is redirected to HTTPS. Question 52. Which of the following best describes a Service of type ExternalName? A) It creates a DNS alias that points to an external hostname. B) It provisions an external load balancer. C) It exposes pods on a static node port. D) It provides a cluster‑internal IP for external services. Answer: A Explanation: ExternalName maps a service name to an external DNS name via CNAME. Question 53. How can you limit a pod to communicate only with other pods that have the label role=db in the same namespace? A) Create a NetworkPolicy with podSelector: {} and ingress from: podSelector: {role: db} B) Set hostNetwork: true in the pod spec C) Use a Service with selector role=db and have the pod call that Service

Developer Practice Exam

D) Add a firewall rule on the node Answer: A Explanation: A NetworkPolicy can restrict ingress to pods matching a specific selector. Question 54. Which field in a PodSpec determines the filesystem group ID for volumes that support POSIX permissions? A) runAsGroup B) fsGroup C) supplementalGroups D) securityContext.groupID Answer: B Explanation: fsGroup sets the GID for volume mounts, allowing shared access among containers. Question 55. What command creates a new namespace called “dev” and sets it as the default for subsequent kubectl commands in the same session? A) kubectl create namespace dev && kubectl config set-context --current --namespace=dev B) kubectl new namespace dev C) kubectl apply - f namespace-dev.yaml && export KUBECONFIG=dev D) kubectl create ns dev && kubectl use dev Answer: A Explanation: kubectl create namespace creates the namespace; kubectl config set-context updates the current context’s namespace. Question 56. Which of the following is a valid way to pass a secret value as an environment variable to a container?