

























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam simulates the experience of presenting at Kubernetes Community Days Spain 2023. It tests session abstract quality, regional audience awareness, cloud-native technical depth, demo readiness, and comprehension of trending topics (supply chain security, platform engineering, multi-cloud orchestration). It emphasizes effective communication, cultural integration, bilingual presentation considerations, and community-building skills.
Typology: Exams
1 / 97
This page cannot be seen from the preview
Don't miss anything!


























































































Question 1. Which component stores the cluster’s desired state and serves as the front‑end for the Kubernetes API? A) kubelet B) kube‑proxy C) API Server D) etcd Answer: C Explanation: The API Server validates and configures data for the API objects. It is the central management point that all other components interact with. Question 2. In a kubeadm‑bootstrapped cluster, which file contains the token used by new nodes to join the control plane? A) /etc/kubernetes/kubelet.conf B) /etc/kubernetes/pki/ca.crt C) /etc/kubernetes/bootstrap-token.csv D) /var/lib/kubelet/config.yaml Answer: C Explanation: The bootstrap-token.csv file lists tokens generated by kubeadm that worker nodes use to authenticate during the kubeadm join process. Question 3. Which etcd consensus algorithm ensures that a majority of nodes agree on the order of writes? A) Paxos B) Raft C) Gossip D) Two‑phase commit Answer: B
Explanation: etcd uses the Raft algorithm to achieve distributed consensus, requiring a quorum of members to commit entries. Question 4. When configuring a highly available control plane with external etcd, which flag must be set on each API Server to point to the etcd cluster? A) --etcd-servers B) --etcd-cafile C) --etcd-keyfile D) --etcd-certfile Answer: A Explanation: The --etcd-servers flag specifies the etcd endpoint(s) the API Server should communicate with. Question 5. Which of the following is not a valid etcd backup strategy? A) Snapshotting the data directory while the process is running B) Using etcdctl snapshot save C) Copying the etcd data directory after pausing etcd with systemctl stop etcd D) Restoring directly from a corrupted snapshot file Answer: D Explanation: Restoring from a corrupted snapshot will fail; backups must be verified for integrity before restoration. Question 6. Which Control Plane component is responsible for ensuring that the desired number of pod replicas are running? A) Scheduler B) Controller Manager C) API Server
B) RollingUpdate C) Blue‑Green D) Canary Answer: B Explanation: RollingUpdate increments the new ReplicaSet while decrementing the old one, ensuring continuous availability. Question 10. In a Canary deployment, how is traffic typically split between the stable and new version? A) 100 % to the new version until ready B) 50 % to each version from the start C) A configurable percentage (e.g., 5 % to new) using a service mesh or Ingress D) No traffic to new version until manual promotion Answer: C Explanation: Canary releases route a small, configurable portion of traffic to the new version to validate behavior before full rollout. Question 11. Which Kubernetes object is best suited for running a one‑time batch job that must complete successfully before the pod is terminated? A) Deployment B) Job C) CronJob D) DaemonSet Answer: B Explanation: A Job creates one or more Pods that run to completion, ensuring the task finishes successfully.
Question 12. Which field in a PodSpec controls the maximum amount of CPU a container can use? A) limits.cpu B) requests.cpu C) resources.cpu D) maxCPU Answer: A Explanation: limits.cpu under resources specifies the hard ceiling for CPU usage; requests.cpu is the guaranteed amount. Question 13. Which probe is executed before the container’s main process starts, allowing the pod to be considered ready only after successful initialization? A) LivenessProbe B) ReadinessProbe C) StartupProbe D) InitProbe Answer: C Explanation: StartupProbe runs during container startup; if it fails, the container is killed and restarted, preventing premature readiness checks. Question 14. Which Kubernetes object is used to ensure that a specific set of Pods runs on every node in the cluster? A) ReplicaSet B) Deployment C) DaemonSet D) StatefulSet Answer: C
D) ExternalName Answer: C Explanation: ClusterIP provides an internal virtual IP reachable only from within the cluster network. Question 18. When using kube‑proxy in IPVS mode, which of the following is true? A) It replaces iptables with eBPF filters. B) It uses the Linux kernel’s IPVS module for load‑balancing. C) It only supports UDP traffic. D) It requires a separate DaemonSet for each node. Answer: B Explanation: IPVS mode leverages the Linux IP Virtual Server kernel module, offering higher performance and more scheduling algorithms than iptables. Question 19. Which Ingress controller annotation enables TLS termination using a secret named “my‑tls‑secret”? A) nginx.ingress.kubernetes.io/ssl-passthrough: "true" B) nginx.ingress.kubernetes.io/secure-backends: "true" C) nginx.ingress.kubernetes.io/ssl-redirect: "true" D) nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" Answer: C Explanation: The ssl-redirect annotation forces TLS termination at the Ingress; the actual secret is referenced in the TLS block of the Ingress spec. Question 20. Which NetworkPolicy rule would deny all inbound traffic to pods in namespace “prod” except from pods with label app=frontend? A) allow from app=frontend, deny all else (default deny)
B) deny from app=frontend, allow all else C) allow all, then deny from app=frontend D) No NetworkPolicy needed; default allow is sufficient Answer: A Explanation: By creating a NetworkPolicy that allows inbound traffic only from pods with app=frontend and relying on the default deny behavior for other traffic, you achieve the desired isolation. Question 21. In CoreDNS, which plugin is responsible for service discovery within Kubernetes? A) forward B) kubernetes C) hosts D) cache Answer: B Explanation: The kubernetes plugin parses Kubernetes API objects to resolve service names to cluster IPs. Question 22. Which CNI plugin implements network policies using eBPF and provides transparent encryption? A) Flannel B) Calico (with eBPF mode) C) Weave Net D) Canal Answer: B Explanation: Calico’s eBPF dataplane can enforce network policies via eBPF and optionally encrypt pod‑to‑pod traffic.
Explanation: The Retain policy leaves the underlying storage asset untouched when the PVC is removed, requiring manual cleanup. Question 26. In a StatefulSet, which of the following guarantees a stable network identity for each pod? A) Each pod gets a unique NodePort. B) Pods receive a DNS name of the form pod‑
D) serviceaccount binding to default namespace Answer: B Explanation: A ClusterRole with verbs get, list, watch on pods and no namespace restriction provides cluster‑wide read access to Pods. Question 29. To allow a pod to authenticate to the API server using a ServiceAccount token, which volume type must be mounted? A) emptyDir B) secret C) projected D) configMap Answer: C Explanation: The projected volume type is used to mount the ServiceAccount token (and optional other projections) into the pod’s filesystem. Question 30. Which SecurityContext field prevents a container from running as the root user? A) runAsUser: 0 B) privileged: false C) allowPrivilegeEscalation: false D) runAsNonRoot: true Answer: D Explanation: Setting runAsNonRoot to true forces the container runtime to reject any image that attempts to run as UID 0. Question 31. Which admission controller validates that all Pods have a defined resource request for CPU? A) NamespaceLifecycle
B) The container repeatedly fails its startup, and the kubelet backs off before retrying. C) The pod is waiting for a PersistentVolume to bind. D) The node is unreachable. Answer: B Explanation: CrashLoopBackOff occurs when a container exits quickly and repeatedly, causing exponential back‑off retries. Question 35. Which Prometheus metric would you query to view the average CPU usage of a pod over the last 5 minutes? A) node_cpu_seconds_total B) container_cpu_usage_seconds_total{pod="
Question 37. When troubleshooting a node that shows “NotReady” status, which command helps you view the node’s condition details? A) kubectl get nodes - o wide B) kubectl describe node <node-name> C) kubectl logs node <node-name> D) kubectl top node <node-name> Answer: B Explanation: kubectl describe node displays conditions, events, and status messages that explain why the node is NotReady. Question 38. Which of the following is a valid reason for a pod to be stuck in “Pending” due to scheduling? A) ImagePullBackOff B) Insufficient CPU resources on any node C) CrashLoopBackOff D) Completed Answer: B Explanation: If no node has enough allocatable resources to satisfy the pod’s requests, the scheduler cannot place it, leaving it Pending. Question 39. What does the “kubectl exec - it
D) kubeadm version upgrade vX.Y.Z Answer: B Explanation: kubeadm upgrade apply performs the necessary steps to upgrade control‑plane binaries and etcd. Question 43. Which flag controls the maximum number of concurrent ServiceAccount token creations in kube‑controller‑manager? A) --service‑account‑token‑max‑concurrency B) --concurrent‑service‑account‑token‑creation C) --max‑service‑account‑tokens D) --token‑creation‑workers Answer: B Explanation: The flag --concurrent-service-account-token-creation sets the worker count for token generation. Question 44. Which of the following is a recommended practice for encrypting Secrets at rest? A) Store them in plain text in etcd. B) Enable the EncryptionConfiguration in the API Server and use a KMS provider. C) Use ConfigMaps instead of Secrets. D) Rely on node‑level disk encryption only. Answer: B Explanation: The API Server can encrypt Secret data at rest using an EncryptionConfiguration with a KMS plugin or AES‑CBC provider. Question 45. Which resource is used to enforce that all Pods in a namespace run with a specific SELinux level? A) NetworkPolicy
B) PodSecurityPolicy (deprecated) C) SecurityContextConstraints (OpenShift) D) PodSecurityStandard (restricted) with seLinuxOptions Answer: D Explanation: PodSecurityStandard (restricted) can require specific SELinux options via the pod’s securityContext.seLinuxOptions field. Question 46. What does the “kubectl top pod” command display? A) Pod resource requests and limits. B) Current CPU and memory usage of each pod. C) Number of restarts per pod. D) Pod IP addresses. Answer: B Explanation: kubectl top pod queries the Metrics API (provided by metrics‑server) to show live CPU and memory consumption. Question 47. Which of the following is a valid reason for the API Server to reject a request with a “Forbidden” error? A) The request targets a non‑existent resource. B) The client’s ServiceAccount lacks the required RBAC permission. C) The cluster is in maintenance mode. D) The node is NotReady. Answer: B Explanation: RBAC denies access when the ServiceAccount (or user) does not have a Role/ClusterRole binding that permits the requested verb on the resource.
Explanation: Kubernetes does not have a built‑in TTL for namespaces; a custom controller or CronJob must clean them up. Question 51. Which flag enables the API Server to serve aggregated APIs from external services? A) --requestheader-client-ca-file B) --proxy-client-cert-file C) --enable-aggregator-routing D) --requestheader-allowed-names Answer: C Explanation: The --enable-aggregator-routing flag activates the API aggregation layer, allowing the API Server to proxy requests to registered external APIs. Question 52. Which of the following is a characteristic of a DaemonSet update strategy “RollingUpdate” with maxUnavailable set to 1? A) All pods are deleted before new ones are created. B) At most one pod can be unavailable during the update. C) The DaemonSet will recreate pods on every node simultaneously. D) No pods are updated until the entire set is ready. Answer: B Explanation: maxUnavailable:1 ensures that during a rolling update, only one DaemonSet pod may be missing at any time, preserving node‑level availability. Question 53. Which of the following best describes the purpose of the “kube‑scheduler” component? A) It monitors node health and evicts unhealthy pods. B) It assigns newly created pods to suitable nodes based on constraints and policies. C) It stores cluster state in etcd.
D) It proxies network traffic between services. Answer: B Explanation: The scheduler watches for unscheduled pods and selects nodes that satisfy resource, affinity, taint, and other scheduling constraints. Question 54. Which annotation on a Service tells kube‑proxy to use IPVS instead of iptables? A) kube-proxy.kubernetes.io/ipvs-mode: "true" B) ipvs.kubernetes.io/enable: "true" C) kube-proxy.kubernetes.io/iptables-mode: "false" D) No annotation; set the kube-proxy mode via the kube-proxy ConfigMap. Answer: D Explanation: Switching kube‑proxy to IPVS is done by configuring the kube-proxy ConfigMap (mode: ipvs), not via Service annotations. Question 55. Which of the following is the default reclaim policy for a PersistentVolume provisioned by a dynamic StorageClass? A) Retain B) Delete C) Recycle D) Archive Answer: B Explanation: Dynamically provisioned volumes typically have a Delete reclaim policy so that the underlying storage asset is removed when the PVC is deleted. Question 56. Which field in a Deployment spec controls the maximum surge of Pods during a RollingUpdate? A) maxSurge