KCNA Kubernetes and Cloud Native Associate Practice Exam: 60 Questions

A) kube-apiserver B) etcd C) kube-scheduler D) kube-controller-manager

Answer: B

Explanation: etcd is Kubernetes' distributed key-value store that persistently stores all cluster state and configuration data. Only kube-apiserver directly communicates with etcd.

A) kubelet B) kube-proxy C) kube-scheduler D) kube-controller-manager

Answer: C

Explanation: kube-scheduler detects newly created Pods that have not yet been assigned to a node and selects the optimal node based on resource requirements, nodeSelector, affinity rules, and other criteria.

A) Managing cluster network policies B) Managing Pod and container lifecycle on each Worker Node C) Authenticating and authorizing API requests D) Storing cluster state data

Answer: B

Explanation: kubelet runs on each Worker Node and manages containers by receiving PodSpecs from kube-apiserver and ensuring the described containers are running and healthy. It communicates with the container runtime to start and stop containers.

A) Container B) Pod C) ReplicaSet D) Node

Answer: B

Explanation: A Pod is the smallest deployable unit in Kubernetes. It contains one or more containers that share a network namespace and storage. Containers within the same Pod communicate via localhost.

A) kube-scheduler B) DaemonSet C) ReplicaSet D) StatefulSet

Answer: C

Explanation: A ReplicaSet ensures that a specified number of Pod replicas are running at all times. A Deployment manages ReplicaSets to provide declarative updates and rollback functionality.

A) NodePort B) LoadBalancer C) ClusterIP D) ExternalName

Answer: C

Explanation: ClusterIP is the default Service type that assigns a virtual IP accessible only within the cluster. NodePort exposes a port on each node for external access, while LoadBalancer provisions a cloud provider's load balancer.

A) Label B) Annotation C) Namespace D) ConfigMap

Answer: C

Explanation: Namespaces provide a logical isolation mechanism within a single cluster. They are used for team separation or environment isolation (dev/staging/prod). Default namespaces include: default, kube-system, and kube-public.

A) Secret B) ConfigMap C) PersistentVolume D) ServiceAccount

Answer: B

Explanation: ConfigMap stores non-sensitive configuration data as key-value pairs. It can be injected into Pods via environment variables or volume mounts. For sensitive data (passwords, tokens), Secret should be used.

A) Issue step-by-step commands for actions to perform B) Define the desired final state and the system converges to that state C) Directly manipulate resources via commands D) Query-only mode for reading current state

Answer: B

Explanation: The declarative approach (e.g., kubectl apply -f manifest.yaml) defines the desired final state in YAML/JSON. Kubernetes compares the current state with the desired state and reconciles them. The imperative approach (e.g., kubectl create deployment) instructs immediate actions.

A) Image Specification B) Runtime Specification C) Distribution Specification D) Orchestration Specification

Answer: D

Explanation: OCI defines three specifications: Image Spec (image format), Runtime Spec (container execution), and Distribution Spec (registry distribution protocol). Orchestration is not part of OCI specs — it belongs to tools like Kubernetes.

A) containerd cannot fully replace Docker B) Docker uses containerd internally, and containerd is an independent container runtime C) containerd is a Kubernetes-only runtime D) Docker and containerd are the same project

Answer: B

Explanation: Docker is a user-friendly platform with CLI and build tools that uses containerd as its underlying container runtime. containerd is a CNCF graduated project that can be used directly with Kubernetes via CRI (Container Runtime Interface) without Docker.

A) To limit Pod network speed B) To help the scheduler select appropriate nodes and prevent node resource exhaustion C) To reduce container image size D) To distribute traffic evenly to Services

Answer: B

Explanation: requests serve as the basis for kube-scheduler to select a node. limits restrict the maximum resources a container can use, preventing node resource exhaustion. Exceeding CPU limits causes throttling; exceeding memory limits causes OOMKilled.

A) Labels are for machines and Annotations are for humans B) Labels are key-value pairs attached to Kubernetes objects, used with Selectors to select groups of objects C) Only one Label can be attached to an object D) Selectors work across Namespaces

Answer: B

Explanation: Labels are key-value pairs like app: nginx or env: production. Services, ReplicaSets, and other resources use Selectors to target Pods with specific Labels. Annotations, unlike Labels, are not used for object selection and store unstructured metadata.

A) Maintains a specified number of Pod replicas B) Runs exactly one Pod on all (or a subset of) nodes in the cluster C) Used for one-time task execution D) Optimized for stateful application deployments

Answer: B

Explanation: A DaemonSet ensures that a Pod runs on every node (or nodes matching a nodeSelector). It is ideal for system daemons that must run on all nodes, such as monitoring agents (Prometheus Node Exporter), log collectors (Fluentd), and network plugins (CNI).

A) StatefulSet supports more replicas B) StatefulSet guarantees stable unique network identity and persistent storage for each Pod C) StatefulSet does not support rolling updates D) StatefulSet directly receives external traffic

Answer: B

Explanation: StatefulSet provides each Pod with a stable unique name (pod-0, pod-1...) and persistent storage (PersistentVolumeClaim). It is suited for stateful applications like databases (MySQL, PostgreSQL) and distributed message brokers (Kafka). Pods are started in order and terminated in reverse.

A) nodeSelector only supports hard rules; Node Affinity supports both hard and soft rules B) Node Affinity is older and nodeSelector is the newer feature C) nodeSelector supports multiple conditions D) The two features are identical

Answer: A

Explanation: nodeSelector only supports simple key=value matching and is always a hard requirement. Node Affinity supports requiredDuringSchedulingIgnoredDuringExecution (hard rule) and preferredDuringSchedulingIgnoredDuringExecution (soft/preferred rule), and allows complex expressions (In, NotIn, Exists, etc.).

A) Taints are applied to Pods and Tolerations to Nodes B) A Taint on a Node prevents Pods that do not Tolerate it from being scheduled there C) Taints force Pods to be placed on specific nodes D) Tolerations restrict network communication between Pods

Answer: B

Explanation: A Taint is set on a node (e.g., kubectl taint nodes node1 key=value:NoSchedule). Only Pods with a matching Toleration can be scheduled on a tainted node. Node Affinity is about Pods preferring/requiring certain nodes. Taints repel unwanted Pods from nodes; Tolerations allow Pods to accept those taints.

A) The Pod is immediately deleted B) Traffic is no longer sent to that Pod C) The container is restarted D) The Node is cordoned

Answer: C

Explanation: A Liveness Probe checks whether the application is alive. If it fails, kubelet restarts the container. A Readiness Probe failure removes the Pod from Service endpoints (no traffic), but does not restart the container.

A) Dynamically increases CPU/memory resources for existing Pods B) Automatically adjusts the number of replicas in a Deployment based on metrics C) Automatically adds new nodes to the cluster D) Automatically adjusts Pod network bandwidth

Answer: B

Explanation: HPA automatically scales the number of Pod replicas in a Deployment or StatefulSet based on CPU utilization, memory, or custom metrics. VPA (Vertical Pod Autoscaler) adjusts resource requests/limits for individual Pods, while Cluster Autoscaler adjusts the node count.

A) maxSurge: max Pods to delete at once; maxUnavailable: max additional Pods to create B) maxSurge: max additional Pods that can be created above desired count; maxUnavailable: max Pods that can be unavailable during update C) maxSurge: maximum node count; maxUnavailable: minimum node count D) Both parameters only apply to StatefulSets

Answer: B

Explanation: In a Rolling Update, maxSurge is the maximum number (absolute or %) of Pods that can be created above the desired replica count. maxUnavailable is the maximum number of Pods that can be in an unavailable state during the update. This enables zero-downtime deployments.

A) Job is for repeated execution; CronJob is for one-time execution B) Job guarantees completion of a one-time task; CronJob creates Jobs on a schedule C) CronJob is not supported in Kubernetes D) Both resources provide the same functionality

Answer: B

Explanation: A Job runs Pods until a specified number complete successfully (batch processing, data migration, etc.). A CronJob creates Job objects on a schedule (like Linux crontab, e.g., 0 2 * * *) for periodic tasks like reports or backups.

A) Hard-code configuration in the application code B) Store configuration that varies between environments in environment variables C) Commit configuration files to the source repository D) Store all configuration in a database

Answer: B

Explanation: The 12-Factor Config principle requires storing environment-varying configuration (database URLs, API keys, etc.) in environment variables, separate from code. In Kubernetes, ConfigMaps and Secrets implement this principle.

A) Independent deployment and scaling per service B) Flexibility in technology stack choices C) Simple operational complexity D) Fault isolation

Answer: C

Explanation: Microservices offer independent deployment, per-service scaling, technology diversity, and fault isolation. However, they introduce increased operational complexity compared to monoliths — inter-service network latency, distributed transactions, service discovery challenges, and more.

A) mTLS (mutual TLS) encryption between services B) Traffic management (canary deployments, A/B testing) C) Distributed tracing and observability D) Automated container image building

Answer: D

Explanation: Service Meshes (Istio, Linkerd, etc.) provide mTLS, traffic management (weighted routing, circuit breaking), distributed tracing, and observability without application code changes. Container image building is the responsibility of CI pipelines, not service meshes.

A) Kubernetes cluster provisioning B) Running serverless workloads (event-driven, scale-to-zero) on top of Kubernetes C) Container registry management D) Distributed database operations

Answer: B

Explanation: Knative is a CNCF project that brings serverless capabilities to Kubernetes. It consists of Serving (auto-scaling HTTP workloads, including scale-to-zero) and Eventing (messaging system connecting event sources and consumers).

A) Operators directly access the cluster and apply changes with kubectl B) Git is the single source of truth for infrastructure state; automated agents sync the cluster to match Git C) CI pipelines deploy directly to production clusters D) Infrastructure changes are applied immediately without manual approval

Answer: B

Explanation: GitOps stores all infrastructure and application configuration declaratively in Git. GitOps agents like ArgoCD or Flux continuously synchronize the cluster state to match the Git state. Changes are made via Pull Requests, automatically creating an audit trail.

A) Container image vulnerability scanning B) A GitOps CD tool that continuously syncs a Kubernetes cluster to match a Git repository C) Kubernetes cluster monitoring D) Secret encryption management

Answer: B

Explanation: ArgoCD is a CNCF graduated project that automatically synchronizes Kubernetes cluster state with application definitions stored in Git (Helm charts, Kustomize, raw YAML). It provides a UI dashboard for checking sync status, manual syncing, and rollback.

A) CPU, Memory, Disk B) Metrics, Logs, Traces C) Deployment, Service, Ingress D) Build, Test, Deploy

Answer: B

Explanation: The three pillars of cloud native observability are Metrics (numeric time-series data), Logs (event-based text records), and Traces (tracking request flows across distributed systems). OpenTelemetry is the unified framework for all three.

A) Applications push data to the Prometheus server B) Prometheus server pulls data from each application's /metrics endpoint C) Data is collected asynchronously via a message broker D) Data is periodically queried from a database

Answer: B

Explanation: Prometheus primarily uses a pull model, scraping metrics from the /metrics HTTP endpoint of monitoring targets at regular intervals. For short-lived jobs where pull is impractical, a Pushgateway allows push-based collection.

A) Automating Kubernetes cluster deployments B) Providing vendor-neutral standard APIs, SDKs, and tools for collecting Metrics, Logs, and Traces C) Standardizing container image registries D) Managing Kubernetes network policies

Answer: B

Explanation: OpenTelemetry (OTel) is a CNCF project providing a vendor-neutral standard for generating, collecting, and exporting observability data (Metrics, Logs, Traces). Adding the OTel SDK to applications allows exporting data to various backends like Prometheus, Jaeger, Zipkin, and Datadog.

A) Aggregating container logs B) Distributed Tracing — tracking request flows across microservices C) Visualizing CPU/memory metrics D) Kubernetes cluster state monitoring

Answer: B

Explanation: Jaeger is a CNCF graduated distributed tracing system. It visualizes how requests flow through services in a microservices architecture and helps identify latency bottlenecks. It provides similar functionality to Zipkin.

A) Container image vulnerability scanning B) A dashboard tool for visualizing metrics from various data sources (Prometheus, Elasticsearch, etc.) C) Running CI/CD pipelines D) Managing Kubernetes rolling updates

Answer: B

Explanation: Grafana is an open-source dashboard platform that connects to multiple data sources (Prometheus, InfluxDB, Elasticsearch, Loki, etc.) to visualize metrics, logs, and traces. It also supports alert configuration with AlertManager.

A) Kubernetes cluster provisioning B) A package manager for packaging, deploying, and managing Kubernetes applications C) Container image build tool D) Node autoscaling

Answer: B

Explanation: Helm is Kubernetes' package manager. It packages multiple related YAML manifests into a Chart. Parameterized deployments are possible via values.yaml, and application lifecycle is managed with helm install, helm upgrade, and helm rollback commands.

A) Kustomize is paid and Helm is free B) Kustomize customizes YAML via overlays without templates; Helm uses Go template-based packaging C) Kustomize is not officially supported by Kubernetes D) Helm does not support multi-cluster deployments

Answer: B

Explanation: Kustomize is built into Kubernetes (kubectl apply -k). It applies environment-specific differences through overlays without modifying base YAML files. Helm uses Go templates to dynamically generate YAML as a package manager. Both tools are often used together.

A) The two terms are identical B) Continuous Delivery requires manual approval before production; Continuous Deployment automatically deploys all the way to production C) Continuous Deployment only auto-deploys to staging environments D) Continuous Delivery is the stage that automatically builds code

Answer: B

Explanation: Continuous Integration (CI) automatically builds and tests code changes. Continuous Delivery auto-deploys to staging but requires manual approval for production. Continuous Deployment automatically deploys all the way to production after tests pass.

A) Downloading container images to nodes B) Managing network rules (iptables/IPVS) on each node to route cluster traffic to Pods C) Encrypting communication between Control Plane and Worker Nodes D) Periodically reporting node status

Answer: B

Explanation: kube-proxy runs on each node and updates the node's network rules (iptables by default, or IPVS) when Kubernetes Service objects are created or modified, routing traffic incoming to ClusterIPs to actual Pod IPs.

A) PVC is a tool for creating PVs B) PV is storage provisioned by cluster admins; PVC is a resource through which users request storage C) PV and PVC must always be in the same Namespace D) PVC is only used for temporary storage

Answer: B

Explanation: A PersistentVolume (PV) is an actual storage resource provisioned by a cluster administrator. A PersistentVolumeClaim (PVC) is an object through which users request storage by specifying capacity and AccessMode. PVCs bind to PVs and are mounted into Pods. Dynamic provisioning via StorageClass is also supported.

A) Managing internal Pod-to-Pod communication B) Defining rules to route HTTP/HTTPS traffic from outside the cluster to Services C) Encrypting traffic between nodes D) Controlling storage access

Answer: B

Explanation: Ingress defines rules for routing external HTTP/HTTPS requests to in-cluster Services. It supports host-based (app.example.com), path-based (/api, /web) routing, and TLS termination. The actual implementation is carried out by an Ingress Controller (Nginx, Traefik, Envoy, etc.).

A) An organization that directly operates cloud infrastructure B) A Linux Foundation non-profit that stewards open-source cloud native projects and advances the ecosystem C) The company that created Kubernetes D) A consortium of AWS, GCP, and Azure

Answer: B

Explanation: CNCF is a Linux Foundation non-profit that neutrally manages cloud native open-source projects like Kubernetes, Prometheus, Envoy, Containerd, ArgoCD, etc. Projects progress through Sandbox → Incubating → Graduated maturity levels.

A) An account for humans to log into the cluster B) An authentication identity used by Pods to call the Kubernetes API C) An account for inter-node authentication D) An account for Ingress access control

Answer: B

Explanation: A ServiceAccount is the identity used by Pods (applications) when accessing the Kubernetes API. A token is automatically issued upon creation, and RBAC is used to grant only necessary permissions. For human access, User or Group accounts are used.

A) Each RUN instruction creates a new layer; layers are immutable and reused B) A container image consists of a single layer C) Layers change dynamically at runtime D) Image layers are only cached on Kubernetes Nodes

Answer: A

Explanation: Docker/OCI images are a stack of immutable layers. Each Dockerfile instruction (FROM, RUN, COPY, etc.) creates a new layer. Identical layers are shared (reused) across multiple images to save storage. A read-write layer is added on top when a container runs.

A) A policy of never deleting servers B) Never modifying deployed infrastructure; replacing with new instances when changes are needed C) Locking data so it cannot be changed D) Keeping infrastructure code read-only

Answer: B

Explanation: Immutable Infrastructure means deployed servers or containers are never modified in-place. When changes are needed, a new image is built and the instance is replaced. This prevents "configuration drift" and ensures consistency. The Kubernetes container model follows this principle.

A) It only scales based on CPU/memory B) It auto-scales Pods from zero based on external event sources like message queue depth or event count C) It automatically adjusts cluster node counts D) It performs the same function as VPA

Answer: B

Explanation: KEDA is a CNCF graduated project that auto-scales Pods from 0 to N based on event-driven metrics from 60+ scalers including Kafka topic lag, RabbitMQ queue depth, Azure Service Bus, and AWS SQS. It extends the standard HPA.

A) All Pod-to-Pod traffic is blocked by default B) All Pod-to-Pod traffic is allowed when no NetworkPolicy exists C) NetworkPolicy only controls communication between Control Plane components D) NetworkPolicy only controls external internet traffic

Answer: B

Explanation: Kubernetes follows an "open by default" policy — all Pod-to-Pod traffic is allowed when no NetworkPolicy objects exist. Applying a NetworkPolicy to a Pod whitelists allowed Ingress/Egress traffic. NetworkPolicy enforcement is handled by CNI plugins (Calico, Cilium, etc.).

A) Encrypted with AES-256 B) Base64-encoded and stored in etcd (not encrypted) C) Stored as a SHA-256 hash D) Stored as plain text

Answer: B

Explanation: Data in Kubernetes Secrets is stored as base64-encoded values in etcd. Base64 is encoding, not encryption. For security, it is recommended to enable etcd Encryption at Rest or use external secret management tools like HashiCorp Vault or External Secrets Operator.

A) etcd runs on Worker Nodes B) etcd is a distributed key-value store using the Raft consensus algorithm; an odd number of instances (3, 5, 7) is recommended C) etcd stores container images D) etcd data is stored only in memory and resets on restart

Answer: B

Explanation: etcd is the Control Plane's distributed key-value store that persistently stores all Kubernetes cluster state. It uses the Raft consensus algorithm to guarantee data consistency. 3, 5, or 7 (odd number) instances are recommended for high availability. Loss of etcd data means loss of the entire cluster, so regular backups are essential.

A) Always B) OnFailure C) Never D) OnSuccess

Answer: D

Explanation: Pod restartPolicy options are Always (default, always restart), OnFailure (restart only on failure), and Never (never restart). OnSuccess does not exist. Jobs use OnFailure or Never, while Deployments enforce Always.

A) Caching container images B) Acting as the DNS server for service discovery within the cluster C) Encrypting traffic between nodes D) Load balancing Ingress traffic

Answer: B

Explanation: CoreDNS is Kubernetes' default DNS server. It enables service discovery by allowing DNS queries by Service name, e.g., my-service.my-namespace.svc.cluster.local.

A) kube-apiserver B) kube-scheduler C) kubelet D) kube-controller-manager

Answer: C

Explanation: kubelet is a Worker Node component. Control Plane components include kube-apiserver, etcd, kube-scheduler, and kube-controller-manager (plus cloud-controller-manager in some environments). kubelet runs on all nodes but is fundamentally a Worker Node component.

A) As environment variables (envFrom) B) Mounted as a volume C) Built directly into the Pod image D) As individual environment variables (env.valueFrom)

Answer: C

Explanation: Valid ways to inject a ConfigMap include environment variables (envFrom.configMapRef for all keys, env.valueFrom.configMapKeyRef for individual keys) and volume mounts (as files). Building configuration directly into the image violates the Immutable Infrastructure principle and contradicts the purpose of ConfigMaps (separating runtime config).

A) To expose an external IP as an in-cluster Service B) To abstract an external DNS name as an in-cluster Service name (CNAME alias) C) To open a port on all nodes externally D) To provision a cloud provider load balancer

Answer: B

Explanation: An ExternalName Service creates a CNAME record pointing to an external DNS name (e.g., my-external-db.example.com). Internal services can access the external service using an abstracted cluster name, so if the external endpoint changes, only the Service needs updating.

A) They start simultaneously with application containers B) They run sequentially before main containers start; main containers only start after init containers complete C) They run continuously in the background D) They are only used for node initialization

Answer: B

Explanation: Init containers are special containers that run before the main app containers. If multiple init containers are defined, they run sequentially; each must complete successfully (exit 0) before the next starts. They are used for database readiness checks, config file generation, and dependency downloads.

A) Defines the chart's version and dependency information B) Defines default configuration values for the chart; can be overridden at deploy time C) Contains Kubernetes resource templates to deploy D) Documents how to use the chart

Answer: B

Explanation: In a Helm Chart, values.yaml defines the default values. These can be overridden with --set key=value or -f custom-values.yaml during helm install or helm upgrade. Chart.yaml contains chart metadata; the templates/ directory contains Kubernetes resource templates.

A) Kubernetes B) Prometheus C) Terraform D) Argo

Answer: C

Explanation: Terraform is HashiCorp's infrastructure provisioning tool and is not a CNCF project (it uses the BSL license). CNCF Graduated projects include Kubernetes, Prometheus, Envoy, CoreDNS, containerd, Argo, Flux, Jaeger, and Vitess.

A) Run the Pod in privileged mode B) Prohibit the container from running as root user (UID 0) C) Set the container's filesystem to read-only D) Restrict the container's network access

Answer: B

Explanation: runAsNonRoot: true rejects container startup if it would run as root (UID 0). The image must have a non-root user configured. This is an important security setting to prevent privilege escalation in container escape attacks. It is commonly combined with runAsUser: 1000.

A) The container is restarted B) The Pod is deleted C) The Pod is removed from Service endpoints and stops receiving traffic D) The node is cordoned

Answer: C

Explanation: A Readiness Probe checks whether a container is ready to receive traffic. If it fails, the Pod is removed from the Service's Endpoints object and no longer receives traffic. No restart occurs. This is useful during long application startup times or temporary overload conditions.

A) kube-system Namespace runs Kubernetes system components B) Namespaces isolate cluster-scoped resources like Nodes and PersistentVolumes C) ResourceQuota can be used to limit resource usage per Namespace D) The default Namespace is where resources are created when no Namespace is specified

Answer: B

Explanation: Namespaces isolate namespace-scoped resources like Pods, Deployments, and Services. Cluster-scoped resources like Nodes, PersistentVolumes, StorageClasses, and ClusterRoles do NOT belong to any Namespace. ResourceQuota and LimitRange can limit per-Namespace resource usage.

A) kubectl restart deployment my-app B) kubectl rollout undo deployment/my-app C) kubectl revert deployment my-app D) kubectl restore deployment my-app

Answer: B

Explanation: kubectl rollout undo deployment/my-app rolls back to the previous ReplicaSet. Use kubectl rollout history deployment/my-app to view history and --to-revision=2 to roll back to a specific version. Use kubectl rollout status to monitor rollout/rollback progress in real time.

A) Protecting electrical circuits B) Blocking requests to failing services to prevent cascading failures C) Encrypting network traffic D) Managing database connection pools

Answer: B

Explanation: The Circuit Breaker pattern stops requests to a repeatedly failing microservice and returns immediate failures, preventing failure propagation to the entire system. Implemented in Istio, Envoy, and Resilience4j. It has three states: Closed (normal) → Open (blocking) → Half-Open (testing).

A) Cluster Autoscaler must be installed B) Pods must have resource requests set and Metrics Server (or custom metrics server) must be running C) It can only be applied to StatefulSets D) At least 3 nodes are required

Answer: B

Explanation: For HPA to work with CPU metrics, two conditions are required: 1) Target Pods must have CPU requests set (current utilization = actual usage / requests). 2) Metrics Server must be deployed in the cluster to collect metrics. Custom metrics (KEDA) require a separate adapter.