Download Hero KCD Utrecht 2023 Practice Exam and more Exams Technology in PDF only on Docsity!
Question 1. Which component stores the desired state of the Kubernetes cluster and is replicated across multiple nodes for high availability? A) kube-apiserver B) kube-scheduler C) etcd D) kube-controller-manager Answer: C Explanation: etcd is a consistent and highly-available key‑value store used to persist all cluster data, including the desired state. Question 2. In a multi‑master control plane, which load‑balancing strategy ensures that the API server traffic is evenly distributed while preserving client source IPs? A) Round‑robin DNS only B) IPVS mode with source‑preserve C) Simple TCP proxy without session affinity D) Random selection on each request Answer: B Explanation: IPVS in source‑preserve mode forwards traffic while keeping the original client IP, allowing proper RBAC checks and audit logging. Question 3. When using Cluster API (CAPI) to provision a new workload cluster, which object represents the template for the control plane machines? A) MachineDeployment B) KubeadmControlPlane C) ClusterClass D) MachineSet Answer: B
Explanation: KubeadmControlPlane defines the control‑plane machine template and configuration for clusters created via CAPI. Question 4. Which of the following best describes the interaction between kube‑scheduler and the kubelet during pod placement? A) Scheduler directly runs containers on the node B) Scheduler assigns a node name, kubelet pulls the pod spec and starts containers C) Kubelet decides the node, scheduler only monitors health D) Scheduler and kubelet are the same process on each node Answer: B Explanation: The scheduler selects a suitable node and writes the binding; the kubelet on that node watches for assigned pods, fetches the spec, and creates containers. Question 5. To enable vertical scaling based on custom metrics, which component must be installed alongside the VPA controller? A) Metrics Server only B) Prometheus Adapter for custom metrics C) Horizontal Pod Autoscaler D) kube‑proxy Answer: B Explanation: VPA can use custom metrics through the Prometheus Adapter, which exposes metrics in the format the VPA expects. Question 6. Which CNI leverages eBPF for packet processing, providing high‑performance networking and network‑policy enforcement without iptables? A) Calico B) Flannel C) Cilium
B) Service discovery C) Load balancer D) TLS termination Answer: A Explanation: Proxyless gRPC uses direct socket connections between services, removing the Envoy sidecar proxy from the request path. Question 10. Falco detects suspicious activity by monitoring which kernel interface? A) /proc/sys B) Netfilter hooks C) Syscall events via the kernel audit subsystem D) Docker daemon logs Answer: C Explanation: Falco taps into the kernel’s syscall events (via audit or eBPF) to apply rule‑based detections in real time. Question 11. Which OPA Gatekeeper feature allows you to write reusable policies that can be applied across multiple namespaces? A) ConstraintTemplate B) AuditConfig C) MutationWebhook D) DataSync Answer: A Explanation: ConstraintTemplate defines a Rego policy that can be instantiated with multiple Constraints, enabling reuse. Question 12. Cosign is used primarily for what purpose in a CI/CD pipeline?
A) Scanning container images for CVEs B) Signing and verifying container images with cryptographic keys C) Deploying Helm charts automatically D) Managing Kubernetes secrets Answer: B Explanation: Cosign provides a simple workflow to sign container images and verify signatures, ensuring supply‑chain integrity. Question 13. The External Secrets Operator (ESO) retrieves secrets from an external vault and creates which native Kubernetes object? A) ConfigMap B) Secret C) ServiceAccount D) PersistentVolumeClaim Answer: B Explanation: ESO synchronizes external secret stores (e.g., HashiCorp Vault) into Kubernetes Secret resources. Question 14. In the “Golden Signals” model, which signal best indicates that a service is approaching its resource limits? A) Latency B) Traffic C) Errors D) Saturation Answer: D Explanation: Saturation measures how utilized a resource is (CPU, memory, request queue), indicating capacity pressure.
Answer: A Explanation: PodKill terminates a specific pod (often the leader), testing the system’s ability to elect a new leader and continue operating. Question 18. FluxCD’s “kustomization” resource can automatically generate a new image tag based on which feature? A) ImageUpdateAutomation B) HelmRelease C) GitRepository sync D) NotificationController Answer: A Explanation: ImageUpdateAutomation watches container registries and updates the image tag in the kustomization manifest. Question 19. Argo Rollouts uses which analysis technique to decide whether a canary step should be promoted? A) Manual approval only B) Automated metric analysis via Prometheus C) Random traffic split D) Fixed time delay Answer: B Explanation: Argo Rollouts can query Prometheus metrics (or other sources) to evaluate success criteria before promoting the rollout. Question 20. When customizing a Helm chart with Kustomize, which field is used to override a specific container image? A) patchesStrategicMerge B) images[] in kustomization.yaml
C) configMapGenerator D) secretGenerator Answer: B Explanation: The images field in Kustomize allows you to specify name, newTag, and newName to replace images defined in a Helm chart. Question 21. Backstage as an Internal Developer Platform (IDP) primarily provides which capability? A) Automated node provisioning B) Self‑service catalog of services, APIs, and documentation C) Container runtime security scanning D) Network policy enforcement Answer: B Explanation: Backstage offers a developer portal with a catalog of services, documentation, and templates for self‑service development. Question 22. Kubeflow Pipelines store metadata about runs in which type of backend storage? A) etcd only B) MySQL or PostgreSQL C) ConfigMap D) In‑memory cache Answer: B Explanation: Kubeflow Pipelines can use MySQL or PostgreSQL to persist run metadata, artifacts, and lineage information. Question 23. Kepler (Kubernetes Efficient Power Level Exporter) primarily exports which metric for sustainability reporting?
Question 26. When configuring a Horizontal Pod Autoscaler (HPA) with a custom metric, which API version must be used for the metric specification? A) autoscaling/v B) autoscaling/v2beta2 or v2beta C) metrics.k8s.io/v1beta D) custom.metrics.k8s.io/v1alpha Answer: B Explanation: HPA v2beta1/v2beta2 introduced support for external and custom metrics via the metrics field. Question 27. Which CNI plugin can enforce network policies using Linux security modules (LSM) rather than iptables? A) Calico in eBPF mode B) Flannel VXLAN C) Weave Net D) Canal Answer: A Explanation: Calico’s eBPF dataplane can use Linux LSM (e.g., BPF LSM) for policy enforcement, avoiding iptables. Question 28. In Istio, a VirtualService that defines multiple route destinations with weight percentages implements which traffic strategy? A) Blue‑green deployment B) Canary release C) Traffic mirroring D) Traffic splitting
Answer: D Explanation: Weight‑based routing in a VirtualService splits traffic among several destinations. Question 29. The Gateway API’s “Listener” can be configured with a “TLS” block. Which field inside this block specifies the secret that holds the TLS certificate? A) certificateRef B) secretName C) tlsSecret D) certRef Answer: A Explanation: certificateRef points to a Kubernetes Secret containing the TLS cert and key for the listener. Question 30. Which of the following best describes the purpose of a “PodDisruptionBudget” (PDB)? A) Limits the number of pods that can be created per namespace B) Guarantees a minimum number of pods remain available during voluntary disruptions C) Enforces resource quotas on pods D) Controls the maximum number of restarts for a pod Answer: B Explanation: A PDB defines the number or percentage of pods that must stay up, protecting against accidental outages during node drains or upgrades. Question 31. When using Falco with a custom rule that matches a specific container image name, which field in the rule definition captures the image name? A) proc.name B) evt.type
A) Git‑crypt B) SealedSecrets C) External Secrets Operator with a sidecar injector D) HashiCorp Vault Agent Injector Answer: D Explanation: Vault Agent Injector runs as a sidecar, fetching secrets from Vault and writing them to a shared volume, keeping secrets out of Git. Question 35. The “Saturation” golden signal can be measured for a Kubernetes Service by monitoring which Prometheus metric? A) http_request_duration_seconds_bucket B) kube_pod_container_resource_requests_cpu_cores C) kube_deployment_status_replicas_available D) kube_service_spec_type Answer: C Explanation: The number of available replicas versus desired replicas indicates how saturated the service is in terms of capacity. Question 36. In a distributed tracing system, which span attribute typically records the HTTP status code of a request? A) net.host.name B) http.status_code C) rpc.method D) db.system Answer: B Explanation: http.status_code is a standard attribute in OpenTelemetry to capture the response status.
Question 37. LitmusChaos defines chaos experiments as Custom Resource Definitions (CRDs). Which field specifies the target pod selector? A) spec.selector.matchLabels B) spec.podSelector C) spec.target.podLabels D) spec.template.metadata.labels Answer: B Explanation: spec.podSelector selects the pods that the chaos experiment will act upon. Question 38. FluxCD’s “notificationController” can send alerts to which of the following destinations? A) Only Slack B) Any webhook‑compatible endpoint (e.g., Slack, Teams, email) C) Only email D) Only PagerDuty Answer: B Explanation: The notificationController is flexible and can deliver messages to any webhook‑compatible service. Question 39. Argo Rollouts supports “analysisTemplates.” What is the primary purpose of an analysisTemplate? A) Define a Helm chart to be installed during rollout B) Specify metric queries and success criteria for canary analysis C) Generate a new Kubernetes namespace for the rollout D) Backup the current deployment configuration Answer: B
D) Persistent storage provisioning Answer: B Explanation: Katib runs Bayesian or random search experiments to find optimal hyperparameters for ML models. Question 43. Kepler calculates power usage per pod by correlating which two types of data? A) Network packets and CPU cycles B) Node hardware counters (RAPL) and cgroup metrics C) Disk I/O latency and memory usage D) GPU utilization and temperature sensors Answer: B Explanation: Kepler reads hardware energy counters (e.g., RAPL) and maps them to pod‑level cgroup metrics to estimate per‑pod power. Question 44. To protect the kube‑controller‑manager API, which flag should be set to enforce authentication? A) --anonymous-auth=false B) --secure-port= C) --authorization-mode=AlwaysAllow D) --insecure-port= Answer: A Explanation: Disabling anonymous authentication forces all requests to be authenticated. Question 45. Which node affinity term would you use to ensure a pod runs only on nodes labeled region=us-east-1? A) requiredDuringSchedulingIgnoredDuringExecution with key=region, operator=In, values=[us- east-1]
B) preferredDuringSchedulingIgnoredDuringExecution with key=region, operator=Exists C) requiredDuringSchedulingRequiredDuringExecution with key=region, operator=NotIn D) nodeSelector with region: us-east-1 Answer: A Explanation: The requiredDuringSchedulingIgnoredDuringExecution term forces the scheduler to select only nodes matching the given label. Question 46. When configuring Cilium, which option enables network‑policy enforcement using eBPF instead of iptables? A) --enable-ipv B) --enable-bpf-masquerade C) --enable-bpf-policy D) --enable-l7-proxy Answer: C Explanation: --enable-bpf-policy switches policy enforcement to eBPF programs. Question 47. In Istio, a DestinationRule with trafficPolicy.loadBalancer.simple: ROUND_ROBIN defines what behavior? A) Random traffic distribution B) Weighted traffic splitting C) Simple round‑robin load balancing among pods D) Session affinity based on source IP Answer: C Explanation: The simple: ROUND_ROBIN setting tells Envoy to distribute requests evenly across the endpoints.
Explanation: An Application CR in ArgoCD points to a Git repo and path, representing the desired state to sync. Question 51. When using Prometheus Adapter for custom metrics, which Kubernetes API group does it extend? A) custom.metrics.k8s.io/v1beta B) metrics.k8s.io/v1beta C) autoscaling.k8s.io/v D) external.metrics.k8s.io/v1alpha Answer: A Explanation: The adapter implements the custom.metrics.k8s.io API, exposing user‑defined metrics to the HPA. Question 52. Which Kubernetes admission controller can be used to enforce that all Pods have resource limits defined? A) NamespaceLifecycle B) ValidatingAdmissionWebhook (e.g., OPA Gatekeeper) C) MutatingAdmissionWebhook D) ServiceAccountIssuerDiscovery Answer: B Explanation: A validating webhook (like Gatekeeper) can reject Pods lacking resource limits. Question 53. In a multi‑cluster environment, which FluxCD component enables synchronization of resources across clusters? A) Flux Kustomize controller B) Flux Helm controller C) Flux Multi‑GitRepository controller
D) Flux ImageAutomation controller Answer: C Explanation: The Multi‑GitRepository controller can define a set of clusters to which resources are applied. Question 54. Which Argo Rollouts strategy uses a “step” definition to gradually increase traffic to the new version? A) BlueGreen B) Canary C) Recreate D) RollingUpdate Answer: B Explanation: Canary strategy defines incremental steps, each increasing traffic to the new replica set. Question 55. When deploying a GPU‑intensive workload with Kubeflow, which custom resource defines the training job? A) TFJob B) Pod C) Deployment D) StatefulSet Answer: A Explanation: TFJob (or PyTorchJob, etc.) is a custom resource used by Kubeflow to manage distributed ML training. Question 56. Which eBPF‑based feature of Cilium provides transparent encryption of pod‑to‑pod traffic? A) IPsec mode
