Kubernetes and Cloud Native Associate Certification Exam (KCNA) Practice Test 3
Q. Which of the following best describes the architectural relationship between pods and containers?
a controller specification (spec) runs inside a container, which runs inside of a podcontainers run inside of a pod and are defined by a controller specification (spec)
pods are scheduled by containers and are defined by a controller specification (spec)
containers are scheduled by a specification and run alongside of pods
Q. Which significant development has occurred regarding Docker and its relationship with Kubernetes?
Docker is now the preferred container runtime for KubernetesDocker has been deprecated in favor of the Containerd runtime
Docker has merged with Kubernetes to form a unified platform
Docker continues to be the sole container runtime used with Kubernetes
Q. To prevent connectivity issues to application pods that might be scaling up and down, what Kubernetes object sits in front of pods to provide reliable networking and redirect traffic to healthy pods?
serviceport definition
container
configMap
Q. Which of the following is NOT a reason to use namespaces in a Kubernetes cluster?
isolate hostile or potentially dangerous workloads from othersshare a cluster among different teams within the organization
create virtual clusters that cater to different use cases throughout the organization
divide a cluster to handle multiple environments, such as prod, dev, and qa
Q. How can Prometheus gather a list of targets for metric collection besides using a static list of configured targets?
by querying a database that contains a list of all the available targetsby using a Gossip protocol to understand what targets are available to scrape
by using network discovery and pinging all the IP addresses available on the configured subnets
by using service discovery to gather a list of targets dynamically
Q. In Kubernetes, why might you consider creating a custom scheduler?
to increase the number of worker nodes in the clusterto manage container image repositories
to improve network security within the cluster
to implement scheduling policies and rules that the default scheduler does not support
Q. After months of work, you are ready to deploy your customer-facing application on a Kubernetes cluster. To ensure high availability and take advantage of failure domains, what feature can you use to ensure pods are scheduled across all available nodes?
autoscalingload balancing
spread constraints
affinity rules
Q. In Kubernetes, what is the primary difference between Taints and Tolerations and Node Affinity?
Taints and Tolerations define node preferences, while Node Affinity defines pod preferences.Taints and Tolerations are used for controlling pod placement, while Node Affinity is used for limiting resource consumption.
Taints and Tolerations allow fine-grained control over pod-to-pod communication, while Node Affinity controls network policies.
Taints and Tolerations allow a node to repel a set of pods, while Node Affinity is used to attract pods to a set of nodes
Q. In Kubernetes, what is a key consideration when deciding whether to use an init-container or a sidecar container in a pod?
init-containers are more suitable for handling long-running processesinit-containers are better for one-time setup tasks during pod initialization
init-containers are used to share resources like volumes with the main container
sidecar containers are primarily used for orchestrating pod scaling
Q. In a Kubernetes definition file, what is the purpose of using the nodeName parameter when specifying a pod's scheduling preferences?
it specifies the desired CPU and memory resources for the podit sets the pod's network policy for communication with other pods
it defines the number of replicas for the pod
it indicates the name of the worker node where the pod should be scheduled
Q. You are a Kubernetes administrator tasked with troubleshooting an issue inside a running pod. What is the most appropriate method to connect to the pod and run commands for debugging?
use kubectl attach to attach to the pod's main process and interact with its terminaluse the kubectl logs command to view the pod's logs and identify the issue without directly connecting to it
create an SSH connection to the worker node where the pod is running and access the pod's file system directly
use kubectl exec to connect to it and execute the desired commands
Q. Which control plane service is responsible for distributing containers across multiple nodes within a Kubernetes cluster?
etcdkubelet
scheduler
API server
Q. What does CNCF stand for?
Cybersecurity Network Configuration FabricCloud Native Computing Foundation
Cloud Native Compliance Framework
Continuous Network Connectivity Framework
Q. What is the primary role of kube-proxy in a Kubernetes cluster?
perform network proxying and load balancingenforce resource quotas and limits
manage container runtime configurations
schedule pods onto worker nodes
Q. Which of the following are valid authentication mechanisms for a Kubernetes cluster?
client certificates (X.509)static password or token file (csv)
third-party identity provider
MFA token or mobile push
Q. The Kubernetes control plane is a critical component of using a Kubernetes cluster. Select the true statements about the control plane
you should run 3 or 5 control plane nodes for high availabilitythe control plane is made up a single Kubernetes service, the API server
control plane nodes should be spread across failure domains
control plane nodes can be physical servers, virtual machines, or cloud instances
Q. What metric below would be the best choice for a service level indicator?
high CPUapplication error rates
memory utilization
database replication latency
Q. What Kubernetes component represents an agent that runs on every Kubernetes worker node?
dockerkubelet
etcd
kubectl
Q. What components do containers share when they run in the same Pod?
volumesnetwork stack
application code
memory
Q. What is Prometheus, and what is it commonly used for in the context of system monitoring and observability?
Prometheus is a platform used for automating the deployment of containerized applications on KubernetesPrometheus is a programming language designed for Kubernetes development
Prometheus is a type of cloud storage service used for data backup
Prometheus is an open-source monitoring and alerting toolkit used to gather and analyze metrics from various software systems
Q. In terms of Kubernetes, what are the differences between a Working Group and a Special Interest Group (SIG)? (select two)
A SIG is a form of Kubernetes documentation that provides detailed guidelines for various technical aspects of the projecta Working Group refers to a group of developers who focus on organizing social events and gatherings
Working Groups are formed to address concerns and initiatives that affect multiple SIGs or the project as a whole.
SIGs are focused on specific technical areas of the Kubernetes project, such as storage, networking, or scalability
Q. Which of the four GitOps pillars involves comparing the actual deployment against the desired state and making changes to ensure the infrastructure remains consistent?
Continuously ReconciledAutomatically Pulled Approved Changes
Infrastructure is Versioned and Immutable
Written in Declarative State
Q. Your cloud-native application runs on Kubernetes. You want to ensure the pod has sufficient resources to serve your application without crashing. What feature can you use to automatically modify the resource limits on the initial deployment and throughout the pod's lifecycle?
vertical pod autoscalerkube-scheduler
horizontal pod autoscaler
cluster scaling
Q. What are some of the popular service mesh solutions commonly used for managing microservices communication in Kubernetes clusters?
Linkerd, Istio, and EnvoyPrometheus and Grafana
Helm and Kustomize
Kubernetes Ingress Controllers and Flannel
Q. Which of the following best describes the difference between DevOps and Site Reliability Engineering (SRE)?
DevOps focuses on managing software development processes, whereas SRE works to design and implement the kind of scalable, dependable systems that ensure maximum reliabilitySRE is primarily concerned with automating software development processes, while DevOps focuses on optimizing service reliability
In DevOps, developers are only responsible for writing code. SRE teams don't write any code
DevOps and SRE are the same thing, just different names for the same approach to software development and operations
Q. What are the characteristics of cloud-native architecture?
team practices such as cooperation, integration, and open governanceapplications that are resilient, scalable, observable, highly automated, and easily updated
applications that meet and respond to modern business demands
workloads that run on the public cloud
Q. What is a security concern related to the default storage of Secrets in the API server's underlying data store (etcd)?
secrets can only be accessed by the user that stored the datasecrets are automatically encrypted in etcd
anyone with access to etcd or the cluster can read or modify Secrets
only cluster administrators can access Secrets stored in etcd
Q. Which of the following are subgroups available in the Kubernetes API?
hostsbatch
storage.k8s.io
apps
Q. When you send commands to a Kubernetes cluster, what control plane component are you interacting with?
kubeletAPI server
controller
scheduler
Q. How does Prometheus collect metrics from its configured targets?
by accessing the underlying hardware of each target and extracting metricsby collecting data from all of the agents installed on each individual target
by scraping targets who expose the metrics through an HTTP endpoint
by hosting an HTTP endpoint in which targets will push metrics for collection
Q. To pull an image from your private repository, you must authenticate with the registry to download a private image. What command allows you to log in to Docker Hub?
docker logindocker authenticate
docker compose
docker pull
Q. You have applied a taint to a Kubernetes node to ensure only certain workloads will run on this node. Additionally, you add a toleration to a web-app pod to match the taint so it can be scheduled on the node. However, you notice that the pod is NOT running on the desired node, and is running on a different node in the cluster. Why didn't the taint and toleration configuration ensure the pod is scheduled on the desired node?
taints and tolerations do not tell a pod to go to a particular node, they only tell the nodes that they can accept pods with certain tolerationsyou should have configured the pod with a taint and the node with the toleration
taints and tolerations don't work until after the pods have been scheduled and are running
taints and tolerations are only used for master/control plane nodes, not for general workloads scheduled on worker nodes
Q. In the context of Kubernetes, what is Helm?
container runtime for managing Docker containersKubernetes distribution that simplifies cluster installation
monitoring and logging solution for Kubernetes clusters
package manager for Kubernetes that assists with application deployment
Q. What was the original container runtime that Kubernetes used to schedule and run containers?
PodmanDocker
Firecracker
ContainerD
Q. When comparing push-based and pull-based deployment approaches, what is the primary difference between the two?
Pull-based deployment approach requires that you provide cluster credentials to external systems, creating a potential security riskPull-based deployment approach retrieves changes directly from a Git repo, while push-based approaches rely more on manual triggers and updates
Push-based deployments tend to be more secure since they don't require exposing any credentials to an external system to provide direct access to the Kubernetes cluster
Push-based deployments require integration with an external system that has direct access to the Kubernetes cluster, while pull-based deployments apply changes from within the cluster itself
Q. What is the primary purpose of using a service account?
configure network policies for servicesprovide authentication and authorization for applications running within pods
encrypt communication between the Kubernetes master and worker nodes
grant permissions to external users accessing the cluster
Q. Your colleague has created a ReplicaSet definition file and is ready to deploy it. Based on the definition file below, what labels are used to match the labels defined on the existing or newly created pods?
apiVersion: apps/v1 kind: ReplicaSet metadata: name: bryan-app labels: application: web-app tier: backend spec: replicas: 3 selector: matchLabels: app: prod-web-app template: metadata: labels: app: prod-web-app customer: marketing spec: containers: ...app: prod-web-app
name: bryan-app
tier: backend
application: web-app
Q. What does it mean for a container to be OCI-compliant in the context of containerization and container runtimes?
the container adheres to the Open Container Initiative (OCI) runtime specification and can run on any OCI-compliant runtimethe container is secured against all known vulnerabilities
the container is managed exclusively by Docker and cannot be used with other container runtimes
the container is automatically deployed to a cloud-based Kubernetes cluster
Q. What is the primary purpose of etcd in a Kubernetes cluster?
to provide a consistent container runtime environment for Kubernetes podsto manage networking and load balancing for the cluster so it's consistent across all nodes in the cluster
to schedule pods and containers across worker nodes
to store and manage configuration data, including cluster state and configuration settings across all control plane nodes
Q. You have submitted a new manifest to deploy your new production application. However, it seems the cluster cannot find a suitable node to schedule some of the containers. What state will the pods be in until Kubernetes finds an appropriate node?
DEPLOYEDFAILED
PENDING
UNSUCCESSFUL
Q. What GitOps tool offers a full range of CI/CD capabilities, such as image building, preview environments, and deployment to Kubernetes?
AnsibleArgoCD
Jenkins X
FluxCD
Q. A common deployment model is to run the main application container along with a helper container inside a Pod. What is this helper container often referred to as?
subordinatesecondary
sidecar
ancillary
Q. Which governing body is responsible for creating open standards for container formats and runtimes?
Open Container Initiative (OCI)Storage Special Interest Group (SIG)
Container Working Group
Cloud Native Computing Foundation (CNCF)
Q. In Kubernetes, why would you use a secret resource?
to encrypt communication between the Kubernetes master and worker nodesto store and manage large datasets within the cluster
to securely store sensitive information, such as API keys, passwords, or TLS certificates
to configure and manage network policies for pods and services
Q. What distinguishes a DevOps Engineer from a Site Reliability Engineer (SRE) in terms of their roles and responsibilities?
a DevOps Engineer is solely focused on deploying applications on a public cloud platformDevOps Engineers get paid more because they are more in-demand
Site Reliability Engineers are harder to find because everyone wants to be a DevOps Engineer
typically a Site Reliability Engineer (SRE) has more of an operational focus than DevOps Engineer
Q. What is the connection between a container image and a container in Kubernetes?
a container is a smaller version of a container imagea container image is a virtual machine used to host containers
the container image is a blueprint for creating a container
the container image is a running instance of a container.
Q. Which of the following best defines serverless computing?
an application architecture model that eliminates the need for any serversa service that allows you to rent servers in your datacenter to execute code
a computing model where users are responsible for provisioning and managing the underlying servers to execute code
a service that allows developers to execute code in response to events without having to provision or manage servers
Q. What is the most important factor that helps ensure continuous operation and fault tolerance for the control plane in a Kubernetes cluster?
the number of control plane nodes is minimized for simplicitythe control plane nodes are isolated at the network level
traffic is load-balanced to a single control plane node
the control plane components are spread across multiple nodes
Q. What are the benefits of using serverless functions on Kubernetes or a public cloud provider? (select three)
allows developers to write code vs. worrying about the underlying server or platformenables cost savings for organizations with unpredictable traffic or usage patterns
the platform can handle scaling, event triggering, and the lifecycle management of the function
enables up-front capital expenditures for long-running servers
Q. What are the benefits of using autoscaling for a system or application? (select three)
the application can handle spikes or drops in trafficcost optimization of underlying resources
increased fault tolerance
using observability solutions for manual intervention
Q. You're a Kubernetes administrator responsible for ensuring that a specific node in your cluster is reserved for critical workloads. What Kubernetes features can you use to achieve this goal?
Create a taint on the dedicated node and define tolerations in the pod specifications. Use NodeAffinity to ensure the pods are scheduled on the correct node.Label the node as "critical" and reference this label in the pod specifications. Set a toleration on the host to ensure only critical workloads can be scheduled on it
Configure node affinity rules in the pod specifications. Then configure a taint in the specification file to ensure it is scheduled on the specific node
Scale up the cluster to allocate a dedicated node. Configure NodeAffinity on the new host.
Q. What is the primary purpose of a DaemonSet controller in Kubernetes?
to ensure the high availability of pods across multiple nodes for critical workloadsto manage the horizontal scaling of pods based on resource utilization and user demand
to provide load balancing for incoming traffic to pods deployed across multiple nodes
to ensure a specific pod runs on every node in the cluster, such as a logging agent
Q. You have placed a ReplicaSet definition file in the /etc/kubernetes/manifests folder on a worker node in an attempt to create it. Why won't kubelet create the new resource?
the kubelet monitors the /etc/kubernetes/manifests directory for static pod definitions, not for ReplicaSet definitionsyou must run the command kubectl create -f <filename> to create the resource
you have not yet configured kubelet to deploy a ReplicaSet
kubelet will not deploy any resources on the node without the scheduler
Q. In the example Kubernetes manifest file below, what does the kind field specify?
apiVersion: ... kind: ... metadata: labels: app: ... name: ... spec: replicas: ... selector:the type of pod you want to create
the label used to tag the object
the version of the API you want to use
the type of object that will be created
Q. In a default Kubernetes cluster, what is the primary DNS configuration used for resolving service names to their respective pod IP addresses?
the CoreDNS service running within the clusterthe DNS server of the Kubernetes cluster's underlying infrastructure
the DNS resolver configured on each individual pod
Kubernetes does not provide DNS resolution for service names
Q. After building a new container image for an application, what must be done to deploy the new image to the Kubernetes cluster when following a GitOps workflow using ArgoCD?
Modify the helm chart or manifest with the new image, commit the changes, and submit a pull requestNo additional changes are needed since the ArgoCD operator will recognize the changes and automatically update the application
Access the ArgoCD user interface (UI) and manually update the name of the image used for the application
Rollback the changes to the previously stable version of the application
Q. What Prometheus component is responsible for sending messages to systems or administrators via email, Slack messages, or 3rd party solutions?
exportersalertmanager
Prometheus HTTP server
pushgateway
Q. The Cloud Native Computing Foundation (CNCF) has defined three maturity stages that projects must go through in order to become fully-fledged applications. What are the three stages?
1. Sandbox2. Development
3. Graduated
1. Proposed
2. Developing
3. Graduated
1. Sandbox
2. Incubating
3. Graduated
1. Development
2. Quality Assurance
3. Production
Q. What system allows containers to discover services and establish connectivity in an environment using service discovery and service mesh?
eBPFKubernetes service
DNS
load balancers
Q. How can you label a node in Kubernetes to mark it for specific workloads or purposes?
use the command kubectl label nodes bryan-node-1 environment=production to assign the label to the nodecreate a YAML manifest file with node labels and apply it with kubectl apply
use the kubectl node-label environment=production command to assign labels to the node
run a shell script on the node to set environment variables as labels