50 VMware Certified Professional - Tanzu for Kubernetes Operations Practice Questions: Question Bank 2025

An administrator is explaining Tanzu Kubernetes Grid (TKG) cluster architecture to a new team member. Which component is responsible for running the Kubernetes control plane and worker nodes as virtual machines when using TKG on vSphere?

A platform team uses Tanzu Kubernetes Grid management and workload clusters. They want to apply consistent configurations (such as CNI and metadata) to new workload clusters at creation time. What is the recommended approach?

A developer reports that a newly deployed application in a TKG workload cluster is unreachable from other pods in the same namespace. A quick check shows the pods are Running, but no traffic passes between them. Which Kubernetes feature is MOST likely blocking traffic in this scenario?

A security team requires that Kubernetes API access be integrated with the company’s identity provider and that authorization be centrally managed by group membership. Which approach best meets this requirement for TKG clusters?

A cluster operator needs to verify why a pod is stuck in Pending state in a TKG workload cluster. What is the most direct kubectl command to identify scheduling-related reasons (for example, insufficient CPU or node taints)?

A company wants to deploy a new TKG workload cluster and ensure it can scale worker nodes automatically based on pending pods. Which component provides this functionality in Kubernetes?

A team is designing a TKG environment to reduce blast radius and simplify lifecycle management. They want a clear separation between the cluster used to manage lifecycle operations and the clusters that run applications. Which design best aligns with TKG architecture best practices?

An operator is upgrading a TKG workload cluster and wants to minimize application downtime. What is the most appropriate Kubernetes strategy to help ensure availability during node rotations/updates?

After enabling a default-deny NetworkPolicy in a namespace, DNS lookups from pods begin failing (for example, service discovery stops working). The CoreDNS service runs in a different namespace. What is the most likely fix while maintaining a least-privilege posture?

A stateful application uses PersistentVolumes on a TKG workload cluster backed by vSphere storage. After a node failure, the pod is rescheduled to another node but remains stuck because the volume cannot be attached simultaneously to two nodes. What is the MOST likely root cause?

An operator uses the Tanzu Kubernetes Grid (TKG) CLI to create a workload cluster but receives an error that the management cluster is unreachable. The operator confirms the management cluster API endpoint is reachable from their workstation. What is the MOST likely cause?

Which Kubernetes object is MOST appropriate to store non-sensitive configuration values (for example, feature flags and endpoint URLs) that applications in a Tanzu Kubernetes cluster consume as environment variables?

A team wants to ensure only trusted images are deployed to Tanzu Kubernetes clusters by requiring that images be pulled from an internal registry. Which control MOST directly enforces this policy at admission time?

A platform team uses Cluster API-based Tanzu Kubernetes Grid. They must deploy 30 workload clusters with consistent settings (labels, variables, and node sizing) and want to minimize drift between clusters. What is the BEST approach?

After enabling network policies in a Tanzu Kubernetes cluster, an application in namespace "app" can no longer reach the DNS service. Pods show errors resolving cluster service names. What is the MOST likely reason?

A workload cluster's control plane is healthy, but multiple Pods are stuck in Pending state with events indicating "0/10 nodes are available: pod has unbound immediate PersistentVolumeClaims". What is the MOST appropriate next step?

A team wants to separate system components from application workloads in Tanzu Kubernetes clusters. They want to ensure application Pods do not schedule onto nodes dedicated to system services. Which combination is the BEST practice to achieve this?

An application requires a static, routable IP for an internal load balancer that must remain consistent across updates. In a Tanzu Kubernetes environment using a software load balancer integration, which Service configuration best meets the requirement?

A Tanzu Kubernetes cluster uses a private container registry with a self-signed CA. Pods fail to pull images with x509 trust errors. What is the BEST solution that scales across the cluster?

A management cluster is running Cluster API controllers. After an infrastructure outage, several Machine objects show a "Failed" phase while the corresponding Nodes in the workload cluster no longer exist. The team wants Cluster API to recreate the missing capacity while preserving declarative state. What is the BEST action?

An administrator is provisioning a workload cluster and wants it to automatically receive approved security updates without manual intervention, while still controlling when upgrades occur. Which approach best meets this requirement in Tanzu Kubernetes Grid (TKG)?

A platform team wants developers to request Kubernetes clusters through a consistent, self-service workflow with guardrails (approved instance sizes, networks, and policies). Which TKG-related component or capability is designed to enable this approach?

An application team reports that Services are resolving intermittently inside a workload cluster. Pods can reach external IPs reliably, but DNS queries sometimes time out. Which component should be checked first in a Kubernetes cluster for this symptom?

A new workload cluster fails to create and the management cluster shows Cluster API resources stuck with infrastructure objects not ready. The vSphere team confirms the provided credentials can log in, but VMs are not being created. Which vSphere-side prerequisite is most likely missing for Cluster API Provider for vSphere to create VMs?

You need to restrict east-west traffic between namespaces in a workload cluster so that only a specific set of pods can communicate to a database service. Which Kubernetes-native mechanism should be used (assuming the CNI supports it)?

A workload cluster upgrade is initiated. Control plane nodes upgrade successfully, but worker nodes remain on the old version and the MachineDeployments show replicas unavailable. Which action is the best next step to identify the blocker in a Cluster API-managed upgrade?

A storage team requires that persistent volumes in multiple workload clusters be provisioned with encryption and consistent performance characteristics. They also want developers to request storage through standard Kubernetes objects without direct access to the underlying storage system. Which Kubernetes object should be standardized to meet this goal?

A company must ensure that only signed container images from an approved registry are deployed to any workload cluster. They need a centralized policy approach that can be applied consistently across many clusters. Which solution best addresses this requirement?

A multi-tenant platform uses multiple namespaces per team within a shared workload cluster. The security team requires that even if a developer gains access to a node, they cannot retrieve Kubernetes Secrets in plaintext from etcd backups. Which design choice best satisfies this requirement?

You operate TKG management and workload clusters in a restricted environment where outbound internet access is blocked. Cluster creation fails because nodes cannot pull required container images. Which architecture pattern is the most appropriate remediation?

An administrator is planning a Tanzu Kubernetes Grid (TKG) deployment and wants a single, consistent way to define cluster topology and lifecycle operations (create/scale/upgrade) across infrastructure providers. Which component provides this capability?

A platform team wants to allow developers to create application namespaces while preventing them from creating cluster-scoped resources (e.g., ClusterRole, CRD) in a TKG cluster. Which Kubernetes feature is the best fit to enforce this?

A new cluster was created successfully, but nodes remain in NotReady. The CNI pods are CrashLoopBackOff, and there are no Pod IPs assigned. What is the most likely category of root cause?

You need to provide persistent storage to applications running on a TKG workload cluster, and the storage must be dynamically provisioned when a PVC is created. Which Kubernetes object enables dynamic provisioning?

A team wants to scale a TKG workload cluster by adding worker nodes while keeping the desired state declarative and auditable. Which approach best aligns with TKG/Cluster API operations?

After applying a NetworkPolicy that should deny all ingress traffic to a namespace, pods are still reachable from other namespaces. What is the most likely explanation?

A workload cluster upgrade is initiated, but it stalls with some nodes on the old Kubernetes version and others upgraded. You suspect a PodDisruptionBudget (PDB) is preventing node drain. Which command best helps confirm this hypothesis?

A platform team wants to separate management and workload responsibilities. They want the management cluster to host only cluster lifecycle services and avoid running application workloads there. What is the recommended design approach?

A company requires that workloads running in a TKG cluster can only pull images that are signed and verified, and that unsigned images are blocked at admission time. Which solution best meets this requirement?

A workload cluster’s API server becomes intermittently unreachable. Control plane nodes are healthy, but clients report TLS handshake timeouts only when connecting through the advertised endpoint. Direct access to a specific control plane node IP works consistently. Which architecture-related issue is the most likely cause?

An operator needs to quickly determine which Tanzu Kubernetes Grid (TKG) management component is responsible for creating and reconciling Kubernetes clusters from Cluster API (CAPI) objects. Which component should they identify?

A team wants to standardize cluster creation by enforcing the same Kubernetes control plane settings, labels, and add-ons for many workload clusters. Which approach best supports this in Tanzu Kubernetes Grid?

A platform engineer suspects that a Service is not reachable because it has no healthy backends. What is the most direct Kubernetes command to verify whether the Service has endpoints?

A company is designing a new multi-team platform using TKG. Security requires strict separation between platform operations and application teams, including different RBAC boundaries and lifecycle ownership. Which architecture best meets this requirement?

After scaling a workload cluster, new worker nodes appear in the cluster but remain in NotReady state. Pod networking is failing on those nodes, while existing nodes continue to function. Which action is most likely to identify the root cause quickly?

A team wants Kubernetes Services of type LoadBalancer to receive IP addresses from an existing enterprise IP pool and be reachable from the corporate network. In a TKG environment where a cloud provider integration is not available, which solution is most appropriate?

A new workload cluster must use persistent volumes backed by a vSphere datastore, and the storage team requires dynamic provisioning with Kubernetes StorageClasses. Which Kubernetes component enables this integration in a TKG on vSphere environment?

A workload cluster is created successfully, but cluster upgrades are failing with an error indicating that the new machine objects cannot be created due to insufficient capacity in the target placement. Which preventive best practice would most directly reduce the chance of this failure?

A security audit finds that developers can create privileged Pods and mount hostPath volumes in multiple namespaces. The platform team must enforce a baseline that prevents these behaviors across all namespaces while still allowing exceptions for specific system namespaces. What is the best Kubernetes-native approach?

A TKG management cluster uses Cluster API. During creation of a new workload cluster, the Cluster object exists but no Machines are created, and events show the infrastructure provider is not ready. Which condition most likely explains this behavior?