




















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Evaluates expertise in designing CKAD exam questions involving application deployment, service configuration, multi-container patterns, ConfigMaps, Secrets, networking, scaling, and troubleshooting. Candidates must generate realistic Kubernetes-based coding and declarative configuration challenges that reflect production scenarios.
Typology: Exams
1 / 92
This page cannot be seen from the preview
Don't miss anything!





















































































Question 1. Which Kubernetes object is used to run a one‑time batch job that terminates after completion? A) Deployment B) Job C) DaemonSet D) CronJob Answer: B Explanation: A Job creates one or more Pods that run to completion and then exit, suitable for finite tasks. Question 2. In a multi‑container Pod, which pattern is best for adding a log‑shipping sidecar that reads logs from the main container’s stdout? A) Init container B) Sidecar container C) Ambassador container D) Adapter container Answer: B Explanation: A sidecar runs alongside the main container, sharing the same network namespace and can access log files or stdout streams. Question 3. What command creates a new ConfigMap from a literal key‑value pair without contacting the API server? A) kubectl create configmap mycm --from-literal=key=value --dry-run=client - o yaml B) kubectl apply - f configmap.yaml C) kubectl run configmap mycm --image=busybox D) kubectl edit configmap mycm
Answer: A Explanation: --dry-run=client - o yaml generates the manifest locally; --from-literal adds a key‑value pair. Question 4. Which field in a PodSpec specifies an Init Container? A) containers B) initContainers C) sidecars D) preStart Answer: B Explanation: initContainers is a list of containers that run sequentially before any regular containers start. Question 5. When using a PersistentVolumeClaim, which access mode allows a single node to read/write the volume at a time? A) ReadWriteMany B) ReadOnlyMany C) ReadWriteOnce D) ReadWriteOncePod Answer: C Explanation: ReadWriteOnce permits one node to mount the volume for both read and write. Question 6. Which Kubernetes Service type creates a stable internal IP address that is reachable only within the cluster? A) NodePort B) LoadBalancer
A) maxSurge B) revisionHistoryLimit C) maxUnavailable D) minReadySeconds Answer: C Explanation: maxUnavailable defines how many Pods can be down simultaneously during an update. Question 10. Which of the following best describes a NetworkPolicy that denies all ingress traffic to a namespace? A) ingress: [] with policyTypes: ["Ingress"] B) egress: [] with policyTypes: ["Egress"] C) No NetworkPolicy applied D) podSelector: {} only Answer: A Explanation: An empty ingress list with policyTypes: ["Ingress"] blocks all inbound connections to matching pods. Question 11. Which command installs a Helm chart named myapp from a local directory and sets the image tag to v2.0? A) helm install myapp ./mychart --set image.tag=v2.0 B) helm upgrade myapp ./mychart --set image.tag=v2.0 C) helm create myapp --set image.tag=v2.0 D) helm repo add myapp ./mychart Answer: A Explanation: helm install deploys a chart; --set overrides values such as image.tag.
Question 12. What is the purpose of the readOnlyRootFilesystem security context setting? A) Prevents the container from writing to any mounted volume. B) Makes the container’s root filesystem immutable, improving security. C) Disallows execution of privileged commands. D) Forces the container to run as a non‑root user. Answer: B Explanation: readOnlyRootFilesystem: true mounts the container’s root FS as read‑only, reducing the attack surface. Question 13. Which of the following objects can be used to automatically roll back a failed Deployment to its previous revision? A) ReplicaSet B) StatefulSet C) Deployment’s revisionHistoryLimit D) kubectl rollout undo command Answer: D Explanation: kubectl rollout undo deployment/<name> reverts to the last successful revision. Question 14. In a Pod spec, which field defines a liveness probe that checks HTTP /healthz on port 8080 every 10 seconds? A) readinessProbe: {httpGet: {path: "/healthz", port: 8080}, periodSeconds: 10} B) livenessProbe: {httpGet: {path: "/healthz", port: 8080}, periodSeconds: 10} C) startupProbe: {httpGet: {path: "/healthz", port: 8080}, periodSeconds: 10} D) livenessProbe: {tcpSocket: {port: 8080}, periodSeconds: 10}
Answer: B Explanation: spec.selector maps label key‑value pairs to the Pods that the Service will route traffic to. Question 18. To limit a container to a maximum of 500 Mi of memory, which field should be used? A) resources.requests.memory B) resources.limits.memory C) limits.cpu D) requests.cpu Answer: B Explanation: resources.limits.memory caps the memory usage; exceeding it triggers OOM killing. Question 19. Which command shows the events associated with a specific Pod? A) kubectl describe pod <name> B) kubectl get pod <name> - o yaml C) kubectl logs <name> D) kubectl exec <name> -- cat /var/log/events Answer: A Explanation: kubectl describe pod includes an “Events” section listing recent lifecycle events. Question 20. When using Kustomize, which file defines the base resources to be customized? A) kustomization.yaml B) Chart.yaml
C) values.yaml D) Dockerfile Answer: A Explanation: kustomization.yaml lists bases, patches, and other customization directives. Question 21. Which Service type is typically used to expose an application through a cloud provider’s load balancer? A) ClusterIP B) NodePort C) LoadBalancer D) ExternalName Answer: C Explanation: LoadBalancer creates an external load balancer (e.g., AWS ELB) that forwards traffic to the Service. Question 22. What is the effect of setting restartPolicy: Never in a Pod spec? A) Pods will be restarted by the kubelet on failure. B) Pods will never be restarted; they remain terminated. C) Pods will be automatically recreated by a Deployment. D) Pods will restart only if a node reboots. Answer: B Explanation: restartPolicy: Never tells the kubelet not to restart containers after they exit. Question 23. Which of the following is NOT a valid way to reference a ConfigMap in a pod? A) As environment variables via envFrom B) As a volume mount via configMap volume type
A) Records the command in the Deployment’s annotation for later review. B) Saves the Deployment YAML to a local file. C) Enables audit logging for the Deployment. D) Forces a rollout restart after creation. Answer: A Explanation: --record adds the command line to the kubernetes.io/change-cause annotation. Question 27. Which field in a Deployment’s pod template can be used to set a default CPU request of 200 m? A) spec.template.spec.resources.limits.cpu B) spec.template.spec.containers.resources.requests.cpu C) spec.replicas.cpu D) spec.template.spec.cpu Answer: B Explanation: resources.requests.cpu under each container specifies the guaranteed CPU amount. Question 28. Which object ensures that exactly one Pod runs on each node in the cluster? A) Deployment B) DaemonSet C) StatefulSet D) Job Answer: B Explanation: DaemonSet creates a copy of the Pod on every node (or a subset based on selectors).
Question 29. Which of the following is a correct way to grant a ServiceAccount read‑only access to Pods in a specific namespace? A) Create a Role with apiGroups: [""], resources: ["pods"], verbs: ["get","list","watch"] and bind it to the ServiceAccount via a RoleBinding. B) Create a ClusterRole with the same rules and bind it cluster‑wide. C) Add the ServiceAccount name to the Pod’s spec.serviceAccountName. D) Set automountServiceAccountToken: false in the ServiceAccount. Answer: A Explanation: A Role scoped to a namespace, combined with a RoleBinding to the ServiceAccount, grants namespace‑level permissions. Question 30. Which command deletes a Helm release named myapp without prompting for confirmation? A) helm delete myapp --purge B) helm uninstall myapp --no-prompt C) helm uninstall myapp --keep-history D) helm delete myapp --no-hooks Answer: A Explanation: helm delete --purge removes the release and its history; Helm v3 uses helm uninstall but --purge is the legacy flag (acceptable for both versions). Question 31. What is the primary difference between a ReadWriteMany and a ReadWriteOncePod access mode? A) ReadWriteMany allows multiple pods on the same node; ReadWriteOncePod restricts to a single pod across the whole cluster. B) ReadWriteMany is for block storage; ReadWriteOncePod is for file storage. C) ReadWriteMany permits read‑only mounts; ReadWriteOncePod permits read‑write only.
A) ClusterIP B) NodePort C) LoadBalancer D) ExternalName Answer: B Explanation: NodePort opens a static port on every node’s IP, forwarding to the Service. Question 35. Which of the following is the correct syntax to reference a Secret named db- secret as an environment variable DB_PASSWORD in a container? A) env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password B) envFrom: - secretRef: name: db-secret C) env: - name: DB_PASSWORD value: db-secret D) env: - name: DB_PASSWORD secretKeyRef: db-secret Answer: A Explanation: valueFrom.secretKeyRef points to a specific key in the Secret and maps it to an env var. Question 36. Which of the following objects can be used to enforce that a Pod cannot run as the root user? A) PodSecurityPolicy (PSP) – runAsUser rule B) NetworkPolicy – allowRoot flag C) ResourceQuota – maxRootPods limit D) ServiceAccount – noRoot annotation Answer: A Explanation: PSPs (or the newer Pod Security Standards) can require runAsNonRoot or specific UID ranges.
Question 37. What does the kubectl exec - it <pod> -- /bin/sh command do? A) Streams the logs of the pod. B) Starts an interactive shell inside the container. C) Deletes the pod. D) Restarts the pod. Answer: B Explanation: exec - it runs an interactive command (/bin/sh) inside the specified container. Question 38. Which of the following is the correct way to define a HorizontalPodAutoscaler that scales between 2 and 5 replicas based on CPU utilization? A) apiVersion: autoscaling/v2beta2 kind: HorizontalPodAutoscaler spec: minReplicas: 2 maxReplicas: 5 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 80 B) apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler spec: minReplicas: 2 maxReplicas: 5 cpuUtilizationPercentage: 80 C) apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler spec: replicas: 2-5 cpu: 80% D) apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler spec: minReplicas: 2 maxReplicas: 5 targetCPUUtilizationPercentage: 80 Answer: A Explanation: In v2beta2, metrics array is used; the example correctly sets min/max and CPU target. Question 39. Which command prints the full YAML manifest of a running Deployment named web without contacting the API server? A) kubectl get deployment web - o yaml --dry-run=client B) kubectl describe deployment web
A) spec.rules.http.paths.backend.service.name B) spec.backend.serviceName C) metadata.annotations.ingress.backend D) spec.tls.secretName Answer: A Explanation: In the newer API version, the backend is nested under spec.rules[].http.paths[].backend.service. Question 43. Which command creates a new namespace called dev? A) kubectl create namespace dev B) kubectl apply - f namespace.yaml C) kubectl new namespace dev D) kubectl init namespace dev Answer: A Explanation: kubectl create namespace <name> creates a namespace directly. Question 44. Which of the following is a valid way to limit the number of Pods that can be created in a namespace? A) Using a ResourceQuota with pods: <limit> B) Using a LimitRange with maxPods field C) Using a NetworkPolicy with maxPods rule D) Using a PodSecurityPolicy with maxPods attribute Answer: A Explanation: ResourceQuota can set a quota on the total number of Pods in a namespace.
Question 45. What does the kubectl get events --sort-by=.metadata.creationTimestamp command do? A) Retrieves events sorted by the time they were created, newest last. B) Shows events in reverse alphabetical order. C) Filters events to only those from the last hour. D) Deletes all events older than one day. Answer: A Explanation: --sort-by orders the output based on the specified field; here it orders by creation time. Question 46. Which of the following statements about a PersistentVolume is true? A) PVs are namespaced resources. B) PVs are cluster‑wide resources that can be claimed by any namespace. C) PVs automatically delete when the associated PVC is removed. D) PVs can only be provisioned manually; dynamic provisioning is not supported. Answer: B Explanation: PersistentVolumes are cluster‑scoped; they are bound to a PVC in a specific namespace. Question 47. Which Kubernetes object is used to define custom validation logic for resources? A) ValidatingAdmissionWebhook B) MutatingAdmissionWebhook C) CustomResourceDefinition D) Operator Answer: A
D) run: ["node","app.js","--port","8080"] Answer: A Explanation: command maps to the container’s entrypoint, args to its arguments. Question 51. Which of the following is true about the emptyDir volume type? A) Data persists after the Pod is deleted. B) Data is stored on the node’s disk and is cleared when the Pod is removed. C) It can be shared across multiple nodes. D) It requires a PersistentVolumeClaim to function. Answer: B Explanation: emptyDir lives as long as the Pod runs; it is deleted when the Pod terminates. Question 52. When a Deployment’s spec.strategy.type is set to Recreate, what happens during an update? A) New Pods are created before old Pods are terminated. B) All existing Pods are terminated before new Pods are created. C) Pods are updated in place without recreation. D) The Deployment rolls back automatically on failure. Answer: B Explanation: Recreate shuts down all existing Pods before bringing up the new version. Question 53. Which field in a Service definition determines the port number on the Service itself? A) spec.ports.targetPort B) spec.ports.port C) spec.ports.nodePort
D) spec.clusterIP Answer: B Explanation: spec.ports.port is the Service’s virtual port; targetPort maps to the container port. Question 54. Which of the following best describes a “Sidecar” container’s lifecycle relative to the main container? A) It starts after the main container finishes. B) It runs concurrently with the main container and is terminated when the main container exits. C) It runs only during Pod initialization. D) It runs on a separate node. Answer: B Explanation: Sidecar containers share the Pod’s lifecycle; they start together and stop when the Pod terminates. Question 55. Which command adds a label tier=backend to an existing Deployment named api? A) kubectl label deployment api tier=backend B) kubectl annotate deployment api tier=backend C) kubectl set label deployment api tier=backend D) kubectl edit deployment api Answer: A Explanation: kubectl label directly attaches a label to the specified resource. Question 56. Which of the following is a valid reason to use a ClusterRole instead of a Role?