Kubernetes CKA Certification Practice Exam (55 Questions + 10 Practical Simulations)

A) 10.0.0.0/8 B) 192.168.0.0/16 C) Must be explicitly specified (no default) D) 172.16.0.0/12

Answer: C

Explanation: kubeadm init does not automatically set a default pod network CIDR. You must specify it with the --pod-network-cidr flag. The value depends on your CNI plugin: Calico typically uses 192.168.0.0/16, while Flannel uses 10.244.0.0/16.

A) etcdctl snapshot load B) etcdctl snapshot restore C) etcdctl backup restore D) etcdctl cluster restore

Answer: B

Explanation: Use ETCDCTL_API=3 etcdctl snapshot restore to restore an etcd snapshot. Specify the restore location with --data-dir, then restart the etcd service with the new data directory configured.

A) ClusterRole applies to only one namespace B) Role can access cluster-wide resources C) ClusterRole can apply to cluster-scoped resources and across all namespaces D) ClusterRole and Role are functionally identical

Answer: C

Explanation: ClusterRole can grant access to cluster-scoped resources (nodes, persistentvolumes, etc.) and namespace-scoped resources across all namespaces. Role is valid only within a specific namespace.

A) RoleBinding cannot reference a ClusterRole B) ClusterRoleBinding applies to a specific namespace only C) RoleBinding grants permissions within a specific namespace; ClusterRoleBinding grants permissions cluster-wide D) Both have identical scope

Answer: C

Explanation: RoleBinding grants access to resources within a specific namespace. ClusterRoleBinding grants access cluster-wide. When a RoleBinding references a ClusterRole, the ClusterRole's permissions apply only within that namespace.

A) Control plane → Worker nodes → etcd B) etcd → Control plane → Worker nodes C) Worker nodes → Control plane → etcd D) kubeadm upgrade plan → kubeadm upgrade apply → upgrade kubelet/kubectl

Answer: D

Explanation: The correct upgrade sequence: 1) kubeadm upgrade plan to check available versions, 2) kubeadm upgrade apply vX.Y.Z to upgrade control plane, 3) Upgrade kubelet and kubectl, 4) Run kubeadm upgrade node on each worker, 5) Upgrade worker node kubelet.

A) /etc/ssl/kubernetes/ B) /var/lib/kubernetes/ C) /etc/kubernetes/pki/ D) /home/kubernetes/certs/

Answer: C

Explanation: In kubeadm-provisioned clusters, certificates reside in /etc/kubernetes/pki/. This includes apiserver.crt, apiserver.key, ca.crt, ca.key, and other component certificates.

A) Creates a new kubeconfig file B) Changes the currently active context C) Adds a new user to the cluster D) Changes the namespace

Answer: B

Explanation: kubectl config use-context CONTEXT_NAME switches the active context in the kubeconfig file. In the CKA exam, you must switch contexts for each question, making this a critical command.

A) kubectl label node NODE_NAME key=value:NoSchedule B) kubectl taint node NODE_NAME key=value:NoSchedule C) kubectl annotate node NODE_NAME key=value:NoSchedule D) kubectl mark node NODE_NAME key=value:NoSchedule

Answer: B

Explanation: Use kubectl taint nodes NODE_NAME key=value:effect to add a taint. Effects can be NoSchedule, PreferNoSchedule, or NoExecute. To remove: kubectl taint nodes NODE_NAME key=value:NoSchedule-

A) Use the kubectl create pod command B) Place a YAML manifest in the kubelet-watched directory (default: /etc/kubernetes/manifests/) C) Make a direct API call to kube-apiserver D) Write data directly to etcd

Answer: B

Explanation: Static Pods are created by placing Pod manifest files in the directory watched by kubelet (default: /etc/kubernetes/manifests/). kubelet detects the file and runs the Pod. Control plane components like kube-apiserver, etcd, controller-manager, and scheduler run as Static Pods.

A) Generating cluster certificates B) Authentication credentials for a worker node to securely join the control plane C) Configuring network CNI D) Joining the etcd cluster

Answer: B

Explanation: --token is a Bootstrap Token for temporary authentication between worker nodes and the control plane. --discovery-token-ca-cert-hash is a hash of the CA certificate that prevents man-in-the-middle attacks. Regenerate with kubeadm token create --print-join-command.

A) maxSurge B) maxUnavailable C) minReadySeconds D) revisionHistoryLimit

Answer: B

Explanation: spec.strategy.rollingUpdate.maxUnavailable specifies the maximum number (or percentage) of Pods that can be unavailable during a rolling update. maxSurge specifies the maximum number of additional Pods that can be created above the desired count. Both default to 25%.

A) BestEffort B) Burstable C) Guaranteed D) Reserved

Answer: C

Explanation: Guaranteed QoS requires all containers in the Pod to have CPU and memory requests equal to their limits. Burstable is when requests and limits differ. BestEffort is when no requests or limits are set at all.

A) nodeSelector supports more complex rules B) nodeAffinity supports required/preferred rules and operators like In, NotIn, Exists, etc. C) nodeSelector uses annotations instead of labels D) nodeAffinity is deprecated

Answer: B

Explanation: nodeAffinity is more expressive: it supports requiredDuringSchedulingIgnoredDuringExecution (hard requirements) and preferredDuringSchedulingIgnoredDuringExecution (soft requirements), plus operators In, NotIn, Exists, DoesNotExist, Gt, Lt.

A) To maintain a fixed number of Pod replicas B) To run one Pod on each (or selected) node C) To run stateful applications with ordered Pod management D) To run batch jobs

Answer: B

Explanation: DaemonSet ensures one Pod per node across all (or node-selector-matching) nodes. Common use cases include node monitoring agents, log collectors, and network plugins. New nodes automatically get a Pod when they join the cluster.

A) pod-random-suffix B) statefulset-name-0, statefulset-name-1, ... C) statefulset-name-random D) pod-0, pod-1, ...

Answer: B

Explanation: StatefulSet Pods have predictable names: statefulset-name-0, statefulset-name-1, and so on. These stable identities are one of the core features StatefulSet provides, enabling ordered deployment, scaling, and deletion.

A) completions: simultaneous Pods, parallelism: total tasks B) completions: total tasks to complete, parallelism: simultaneous Pod count C) completions: retry count, parallelism: timeout D) Both fields control retry behavior

Answer: B

Explanation: completions specifies the total number of Pods that must complete successfully. parallelism specifies how many Pods can run simultaneously. Example: completions=10, parallelism=3 processes 10 tasks 3 at a time.

A) Include timezone info in the spec.schedule field B) Use spec.timeZone with an IANA timezone name (Kubernetes 1.27+) C) Only possible via cluster-wide configuration D) CronJob does not support timezones

Answer: B

Explanation: Since Kubernetes 1.27 (GA), spec.timeZone accepts IANA timezone names like "America/New_York" or "Asia/Tokyo". Before 1.27, all schedules were UTC-only.

A) Pod Affinity targets specific nodes; Pod Anti-Affinity targets Pods on specific nodes B) Pod Affinity schedules near specific Pods; Pod Anti-Affinity schedules away from specific Pods C) Both concepts are identical D) Pod Anti-Affinity is deprecated

Answer: B

Explanation: Pod Affinity schedules a Pod on the same node/zone as Pods with matching labels (e.g., co-locating a cache with its app). Pod Anti-Affinity schedules a Pod away from Pods with matching labels (e.g., spreading replicas across nodes for availability).

A) Filters by label B) Filters by specific field values on the resource object C) Filters by annotation D) Filters by namespace

Answer: B

Explanation: --field-selector filters by actual resource field values like status.phase, metadata.name, or spec.nodeName. This differs from --selector / -l which filters by labels.

A) Forces a Pod to schedule on a specific node B) Allows a Pod to be scheduled on nodes with matching taints C) Removes Pods from a specific node D) Adds new taints to a node

Answer: B

Explanation: Taints on nodes repel Pods that don't tolerate them. Tolerations on Pods declare they can "tolerate" specific taints. Having a toleration doesn't guarantee the Pod will land on that node — it just permits scheduling there.

A) Accessible from outside the cluster B) Accessible through a specific port on each node C) Provides a virtual IP accessible only within the cluster D) Automatically creates a load balancer

Answer: C

Explanation: ClusterIP services assign a virtual IP (the Cluster IP) that is only reachable within the cluster. They cannot be accessed externally and are used for inter-service communication. ClusterIP is the default service type.

A) 1-1024 B) 1024-65535 C) 30000-32767 D) 8000-9000

Answer: C

Explanation: The default NodePort range is 30000-32767. This can be changed with the --service-node-port-range flag on kube-apiserver. If not specified, a port is automatically assigned within this range.

A) service-name.cluster.local B) service-name.namespace.svc.cluster.local C) namespace.service-name.cluster.local D) service-name.default.kubernetes.local

Answer: B

Explanation: The fully qualified DNS name for a service is service-name.namespace.svc.cluster.local. Within the same namespace, service-name alone is sufficient. Pod DNS follows the format pod-ip-dashes.namespace.pod.cluster.local.

A) kube-proxy must be in IPVS mode B) A CNI plugin that supports NetworkPolicy is required C) The cluster must run on a cloud provider D) An Ingress Controller must be installed

Answer: B

Explanation: NetworkPolicy enforcement requires a compatible CNI plugin. Calico, Cilium, and WeaveNet support NetworkPolicy. Flannel does not natively enforce NetworkPolicy. Without a compatible CNI, creating NetworkPolicy objects has no effect on traffic.

A) A NodePort service must exist B) A LoadBalancer service must exist C) An Ingress Controller must be deployed in the cluster D) kube-proxy must be running

Answer: C

Explanation: An Ingress resource alone does not process traffic. An Ingress Controller (nginx, Traefik, HAProxy, etc.) must be deployed to watch Ingress resources and handle actual routing.

A) userspace B) iptables C) IPVS D) ebpf

Answer: B

Explanation: The default kube-proxy mode is iptables. IPVS mode supports more load-balancing algorithms and offers better performance at scale. CNIs like Cilium can handle service routing via eBPF without kube-proxy.

A) Blocks external traffic B) Routes traffic only to Pods on the receiving node, preserving the client IP C) Distributes traffic evenly across all nodes D) Only applies to LoadBalancer services

Answer: B

Explanation: With externalTrafficPolicy: Local, external traffic is delivered only to nodes that host the targeted Pod, preserving the original client IP. However, connections to nodes without the Pod are rejected. The default Cluster policy SNATs traffic and routes it to any node.

A) Manages container runtimes B) Handles network connectivity between Pods and IP address assignment C) Manages communication with the Kubernetes API server D) Mounts storage volumes

Answer: B

Explanation: CNI plugins configure network interfaces when Pods are created, assign IP addresses, and set up routing for Pod-to-Pod communication. Flannel, Calico, Cilium, WeaveNet, and Canal are common CNI plugins.

A) The service cannot be accessed externally B) DNS returns individual Pod IPs directly, allowing clients to choose Pods C) Routes to a random Pod without load balancing D) Can only be used with StatefulSets

Answer: B

Explanation: A headless service with clusterIP: None has no virtual IP. DNS returns the actual Pod IPs directly. Combined with StatefulSet, each Pod gets a stable DNS name like pod-0.service.namespace.svc.cluster.local.

A) Selects no Pods B) Selects all Pods in the namespace C) Selects all Pods across all namespaces D) Selects only system Pods

Answer: B

Explanation: An empty podSelector: {} selects all Pods in the namespace where the NetworkPolicy is deployed. This is commonly used to apply a default-deny policy to all Pods in a namespace.

A) The PV is automatically deleted B) The PV data is wiped and reset C) The PV is retained and must be manually reclaimed by an admin D) The PV is automatically bound to another PVC

Answer: C

Explanation: With the Retain policy, the PV persists after the PVC is deleted. The PV enters the Released state and the data is preserved. An admin must manually delete or reconfigure the PV to make it available again. Delete removes the PV; Recycle is deprecated.

A) Read/write from one node B) Read-only from multiple nodes simultaneously C) Read/write from multiple nodes simultaneously D) Read/write from only one Pod

Answer: C

Explanation: ReadWriteMany (RWX) allows the volume to be mounted read-write by multiple nodes simultaneously. NFS, CephFS, and Azure File support this mode. ReadWriteOnce (RWO) allows read-write from one node; ReadOnlyMany (ROX) allows read-only from multiple nodes.

A) Manages existing PVs B) Defines storage properties for dynamic PV provisioning C) Directly assigns storage to Pods D) Blocks access to network storage

Answer: B

Explanation: StorageClass defines how PVs are dynamically provisioned when a PVC is created. It specifies the provisioner (e.g., kubernetes.io/aws-ebs), reclaimPolicy, and parameters. volumeBindingMode: WaitForFirstConsumer delays PV creation until a Pod is scheduled.

A) Data persists across node restarts B) Deleted when the Pod is removed; useful for sharing data between containers in a Pod C) Can be shared across multiple Pods D) Accesses external storage without a PVC

Answer: B

Explanation: emptyDir is created when a Pod is assigned to a node and deleted when the Pod is removed. It is useful for sharing files between containers within the same Pod. By default it uses node disk; with medium: Memory it uses tmpfs.

A) Faster than environment variable injection B) Changes to the ConfigMap are automatically reflected in the mounted files at runtime C) Can store encrypted data D) Data persists like permanent storage

Answer: B

Explanation: When a ConfigMap is volume-mounted, updates to the ConfigMap are automatically propagated to the mounted files (within kubelet's syncFrequency). ConfigMaps injected as environment variables are not updated until the Pod is restarted.

A) Use kubectl get pod to list Pods B) Use kubectl logs to check container logs C) Delete and recreate the Pod D) Restart the node

Answer: B

Explanation: CrashLoopBackOff means the container is repeatedly crashing and being restarted. Check kubectl logs POD_NAME for stdout/stderr output. Use kubectl logs POD_NAME --previous for logs from the last crash. kubectl describe pod shows Events too.

A) Insufficient CPU/memory for the Pod B) Incorrect image name/tag or missing credentials for a private registry C) NetworkPolicy blocking traffic D) PVC binding failure

Answer: B

Explanation: ImagePullBackOff causes: 1) wrong image name or tag, 2) image doesn't exist, 3) missing imagePullSecrets for private registry, 4) network connectivity issue. Check kubectl describe pod Events for the specific error message.

A) Only check kube-apiserver logs B) kubelet service status, logs, network connectivity, disk/memory pressure C) Only check etcd status D) Delete and recreate Pods

Answer: B

Explanation: Diagnosing NotReady: 1) systemctl status kubelet to check kubelet state, 2) journalctl -u kubelet -f for kubelet logs, 3) Check disk/memory/PID pressure in kubectl describe node, 4) Verify network connectivity, 5) Check container runtime (containerd/docker) status.

A) kubectl get etcd B) etcdctl endpoint health C) systemctl status etcd D) kubectl describe etcd

Answer: B

Explanation: ETCDCTL_API=3 etcdctl endpoint health --endpoints=https://127.0.0.1:2379 --cacert=... --cert=... --key=... checks cluster health. etcdctl endpoint status shows per-member status including leader information.

A) kubectl exec POD_NAME COMMAND B) kubectl exec -it POD_NAME -- COMMAND C) kubectl run POD_NAME -- COMMAND D) kubectl attach POD_NAME -c COMMAND

Answer: B

Explanation: kubectl exec -it POD_NAME -- /bin/sh opens an interactive shell. -i keeps stdin open, -t allocates a TTY. Add -c CONTAINER_NAME for multi-container Pods. Single command: kubectl exec POD_NAME -- ls /etc

A) kubectl get pod --resources B) kubectl top pod C) kubectl describe pod --metrics D) kubectl stats pod

Answer: B

Explanation: kubectl top pod displays CPU and memory usage per Pod. Requires Metrics Server installed in the cluster. kubectl top node shows node-level resource usage.

A) Container is crashing B) Image cannot be found C) Scheduler cannot find a suitable node, or PVC is not bound D) Network connectivity issue

Answer: C

Explanation: Pending Pod causes: 1) Insufficient resources (CPU/memory) on all nodes, 2) taint/toleration mismatch, 3) No node satisfying nodeSelector/affinity, 4) PVC not bound, 5) Scheduler not running. Check kubectl describe pod Events for specifics.

A) kubectl logs kube-apiserver -n default B) kubectl logs -n kube-system kube-apiserver-NODENAME C) systemctl logs kube-apiserver D) journalctl -u kubernetes

Answer: B

Explanation: The kube-apiserver runs as a Static Pod. Access its logs with kubectl logs -n kube-system kube-apiserver-controlplane (where "controlplane" is the node name). Alternatively: crictl logs CONTAINER_ID.

A) CPU limit exceeded — increase limits.cpu B) Memory limit exceeded — increase limits.memory or optimize app memory usage C) Disk space insufficient — increase PVC size D) Network timeout — add retry settings

Answer: B

Explanation: OOMKilled (Out of Memory Killed) occurs when a container exceeds its limits.memory. Solutions: 1) Increase limits.memory appropriately, 2) Check for memory leaks in the application, 3) For JVM apps, adjust heap size with -Xmx.

A) kubectl get events B) kubectl get events --sort-by=.metadata.creationTimestamp C) kubectl describe events D) kubectl logs events

Answer: B

Explanation: kubectl get events --sort-by=.metadata.creationTimestamp sorts events chronologically. Filter by namespace: kubectl get events -n NAMESPACE. Watch in real time: kubectl get events --watch. Pod events also appear in kubectl describe pod.

A) /etc/kubernetes/kubelet.conf B) /var/lib/kubelet/config.yaml C) /etc/kubelet/config.yaml D) /usr/local/kubernetes/kubelet.conf

Answer: B

Explanation: The default kubelet configuration file is /var/lib/kubelet/config.yaml. Systemd service settings are in /etc/systemd/system/kubelet.service.d/10-kubeadm.conf or /etc/default/kubelet. systemctl status kubelet shows the active configuration.

A) No Pods are running B) No PV satisfies the requirements (storageClass, accessMode, capacity) or dynamic provisioning fails C) Namespace is incorrectly configured D) Node has insufficient disk space

Answer: B

Explanation: PVC Pending causes: 1) Required StorageClass doesn't exist, 2) No PV with the required accessMode, 3) No PV with sufficient capacity, 4) Dynamic provisioning failed, 5) Waiting for Pod scheduling with volumeBindingMode: WaitForFirstConsumer. Check with kubectl describe pvc.

A) Container logs B) IP address, node name, gateway C) Resource usage D) Environment variables

Answer: B

Explanation: The -o wide flag adds IP address, node name (NODE column), Nominated Node, and Readiness Gates to the standard output. Useful for quickly seeing which node a Pod runs on and what IP it has.

A) Error B) Warning FailedScheduling C) Normal SchedulingFailed D) Critical NoNodeAvailable

Answer: B

Explanation: When kube-scheduler cannot schedule a Pod, a Warning FailedScheduling event is generated. Check kubectl describe pod POD_NAME Events section for details like "0/3 nodes are available: 3 Insufficient memory."

A) Rolls back the deployment to the previous version B) Restarts all Pods in a rolling fashion C) Deletes and recreates the Deployment D) Pauses the Pods

Answer: B

Explanation: kubectl rollout restart deployment restarts all Pods in the Deployment using a rolling update strategy. Useful for applying ConfigMap/Secret updates without changing the image or spec. Monitor with kubectl rollout status.

A) kubectl attach B) Set the spec.serviceAccountName field to the ServiceAccount name C) kubectl link D) Add serviceaccount=NAME to Pod labels

Answer: B

Explanation: Set spec.serviceAccountName in the Pod or Deployment spec. If not specified, the default ServiceAccount of the namespace is automatically mounted. The token is available at /var/run/secrets/kubernetes.io/serviceaccount/.

A) kubectl debug node B) kubectl run tmp --image=busybox --rm -it -- /bin/sh C) kubectl create pod debug D) kubectl network debug

Answer: B

Explanation: kubectl run tmp --image=busybox --rm -it -- /bin/sh creates a temporary debugging Pod. --rm auto-deletes it on exit, -it provides interactive TTY. The nicolaka/netshoot image includes extensive network debugging tools.

A) cluster and user are independent and unrelated to context B) A context combines a cluster and user (plus optional namespace) to define how to access a cluster with specific credentials C) A user contains a cluster D) A cluster contains users and contexts

Answer: B

Explanation: A kubeconfig has three sections: clusters (server address and CA), users (credentials), and contexts (cluster + user + namespace combinations). A context defines which cluster to connect to and with which credentials. kubectl config use-context changes the active context.

A) kubectl get pod -o env B) kubectl exec POD_NAME -- env C) kubectl describe pod --env D) kubectl get configmap

Answer: B

Explanation: kubectl exec POD_NAME -- env lists all environment variables in the container. Use kubectl exec POD_NAME -- printenv VARIABLE_NAME for a specific variable. kubectl describe pod also shows the configured environment variables.

A) kube-apiserver B) kube-scheduler C) kubelet D) kube-controller-manager

Answer: C

Explanation: kubelet is a node agent running on every node (control plane and worker nodes), not a control plane component. Control plane components: kube-apiserver, etcd, kube-scheduler, kube-controller-manager. Node components: kubelet, kube-proxy, container runtime.