50 VMware Certified Advanced Professional - VMware Cloud Foundation 9.0 vSphere Kubernetes Service Practice Questions: Question Bank 2025

An administrator is reviewing the architecture of vSphere Kubernetes Service. Which component is responsible for running Kubernetes control plane and worker nodes as vSphere-managed VMs and enabling lifecycle operations on those nodes?

A platform team needs to allow developers to provision Kubernetes clusters without giving them vCenter administrative access. Which approach best aligns with vSphere Kubernetes Service operating model?

After enabling vSphere Kubernetes Service on a cluster, developers report they cannot deploy any workloads because there are no available Kubernetes worker nodes. Which action is required to provide capacity for workloads in vSphere Kubernetes Service?

A team wants to ensure Kubernetes workloads remain available when an ESXi host fails. Which vSphere feature primarily provides automatic restart of the Kubernetes node VMs on remaining hosts?

A company is designing networking for vSphere Kubernetes Service and must provide routable connectivity between Kubernetes workloads and external systems without relying on overlay networks. Which design choice best supports this requirement?

A tenant reports that creating a Tanzu Kubernetes cluster fails with an error indicating insufficient resources, even though the vSphere cluster has free capacity. The platform team recently applied tight CPU and memory limits to the namespace. What is the most likely cause?

An administrator is asked to implement least privilege so a security team can audit Kubernetes objects in a namespace but cannot create, modify, or delete any resources. Which permission model best fits this requirement?

A platform engineer needs to standardize Tanzu Kubernetes cluster builds so that all clusters use the same approved base images and can be updated consistently. Which configuration is most central to achieving this in vSphere Kubernetes Service?

A production Supervisor-backed environment uses a shared storage platform. The storage team requires that Kubernetes persistent volumes for Tier-1 applications be encrypted at rest and placed only on a specific datastore cluster. Which is the best approach to meet this requirement while keeping provisioning self-service for developers?

After an identity provider change, users can authenticate to vCenter but `kubectl` access to the Supervisor namespace returns authorization errors for actions they previously could perform. No infrastructure changes were made to the Kubernetes clusters. What is the most likely remediation?

An administrator wants to quickly verify which Kubernetes clusters are running on a specific vSphere Supervisor and confirm their overall status. Where is the most appropriate place to view this information?

A platform team is asked to provide storage to vSphere Kubernetes Service workloads with encryption at rest and a clear separation of performance tiers. Which vSphere construct best enables this for Kubernetes persistent volumes?

A developer reports they can authenticate to the Supervisor but cannot create a new namespace. The developer is a member of the correct SSO identity source group. What is the MOST likely missing configuration?

A company wants Kubernetes workloads to have isolated network segments per namespace and enforce distributed firewall rules between namespaces. Which design choice best aligns with this requirement?

After enabling a Supervisor, Pods fail to get an IP address and remain in a pending state. Other cluster operations appear normal. Which troubleshooting step is MOST appropriate first?

A platform team wants to limit the maximum CPU and memory that a development team can consume across all their Kubernetes objects in a namespace while still allowing them to create workloads freely within that limit. Which control should be implemented?

An administrator needs to provide a secure method for Kubernetes workloads to access an external image registry that uses a private CA certificate. What is the BEST practice approach?

A Tanzu Kubernetes cluster is experiencing uneven workload distribution and frequent CPU contention on a subset of ESXi hosts, even though other hosts have capacity. Which vSphere feature should be validated and tuned first to improve placement for Kubernetes worker nodes?

A security team requires that Kubernetes users receive only the minimum permissions needed and that access to namespaces is centrally governed from vCenter, not delegated solely inside Kubernetes. Which design best meets this requirement?

A multi-tenant environment has strict requirements to prevent data exposure between tenants. Tenants use persistent volumes and occasionally delete and recreate PVCs. What is the MOST effective way to reduce the risk of residual data exposure when volumes are released?

An administrator is validating prerequisites before enabling vSphere Kubernetes Service on a cluster. Which requirement is essential to allow Supervisor control plane VMs to be placed and managed correctly?

A platform team wants developers to deploy Pods without being able to create or modify vSphere Namespaces. Which approach best aligns with least-privilege access control?

A developer reports that kubectl can authenticate to the Supervisor but receives authorization errors when creating objects in a vSphere Namespace. The identity source is already configured and the user can log in to vCenter. What is the MOST likely cause?

A company uses multiple vSphere Namespaces and wants to prevent one team from consuming excessive CPU and memory on the Supervisor cluster. Which configuration should the administrator apply to achieve this goal?

After enabling vSphere Kubernetes Service, a supervisor-enabled cluster shows that workload management is running, but developers cannot provision persistent volumes (PVs). Pods remain pending with storage-related events. Which missing configuration is the MOST likely root cause?

A security team requires that all container images used by workload clusters are pulled only from an approved enterprise registry. Which control provides the BEST enforcement point in a vSphere Kubernetes Service environment?

An operations team wants to provide self-service Kubernetes clusters to developers while controlling the maximum size of any single cluster (node count) to protect shared infrastructure. Which approach is MOST appropriate?

A Supervisor cluster uses a shared datastore and multiple storage policies. The storage team needs to ensure that a certain class of workloads uses only the high-performance policy and cannot accidentally use other policies. What is the BEST configuration to meet this requirement?

A team reports intermittent failures when accessing the Supervisor API endpoint from certain subnets. The API works from the management network but fails from user VLANs. Which design issue is the MOST likely cause?

A workload cluster nodes are repeatedly being evicted and rescheduled during periods of high utilization, even though overall cluster capacity appears sufficient. The vSphere cluster has DRS enabled. Which configuration is MOST likely causing the observed behavior?

An administrator is asked to explain which Kubernetes endpoint developers use to create and manage namespaces, pods, and services on a Supervisor. Which component provides the Kubernetes API endpoint for the Supervisor?

A platform team wants to allow a development group to deploy workloads on vSphere Kubernetes Service without granting them privileges to modify hosts, clusters, or storage policies. Which approach is the BEST practice?

A team is troubleshooting why new Kubernetes pods remain in Pending status in a Supervisor Namespace. The events show '0/3 nodes are available: insufficient cpu'. What is the MOST likely cause in vSphere Kubernetes Service?

A developer asks why they cannot create a LoadBalancer type Service in their namespace. The cluster uses vSphere Kubernetes Service with NSX networking. Which component is responsible for providing load balancing for Kubernetes Services of type LoadBalancer?

A customer wants to restrict a Supervisor Namespace so that all pods can only pull container images from an internal registry. Which control is the BEST fit to enforce this requirement at admission time?

After enabling a new storage policy for Kubernetes persistent volumes, developers report that PersistentVolumeClaims (PVCs) remain in Pending with events indicating no matching datastore found. Which is the MOST likely configuration issue?

A platform engineer needs to provide separate operational boundaries for two application teams using vSphere Kubernetes Service. Each team must have its own resource quotas, access permissions, and allowed storage policies. Which design meets these requirements with the LEAST administrative overhead?

An SRE team wants to ensure that only authenticated users from a corporate identity provider can access the Supervisor Kubernetes API using kubectl, and that access is centrally revoked when a user leaves the company. Which integration BEST satisfies this requirement?

A regulated environment requires strict separation so that Kubernetes workloads from one namespace cannot communicate with workloads in another namespace unless explicitly permitted. The Supervisor uses NSX networking. Which action BEST enforces this requirement?

A cluster is experiencing intermittent pod networking issues after a maintenance window. Pods can resolve DNS, but traffic to services in other subnets fails. The environment uses NSX with Supervisor. Which is the MOST appropriate first step to isolate whether the issue is in the NSX data plane versus Kubernetes service configuration?

An administrator is validating prerequisites for enabling vSphere Kubernetes Service (Supervisor) on a vSphere cluster. Which component provides the control plane for running vSphere Pods and provisioning Tanzu Kubernetes clusters?

A developer can create namespaces but cannot create a Tanzu Kubernetes cluster inside an existing Supervisor Namespace. The cluster creation request is denied due to policy. What is the MOST likely cause?

An operator needs a quick way to limit how much CPU and memory workloads in a Supervisor Namespace can consume to prevent one team from exhausting cluster resources. Which construct should be used?

A company wants developers to deploy vSphere Pods to a Supervisor Namespace but must ensure those pods can only attach persistent volumes from a specific set of datastores. Which is the BEST approach?

After enabling vSphere Kubernetes Service, an administrator notices that Kubernetes API access works, but node-to-node and pod-to-pod networking is intermittently failing between ESXi hosts. Which item should be checked FIRST as the most common underlying cause?

A platform team wants to provide two classes of Tanzu Kubernetes clusters: one optimized for small dev clusters and another for larger production clusters. They also want to enforce these sizes consistently across namespaces. What should they configure?

A Supervisor Namespace is configured with appropriate permissions, VM classes, and storage policies. Developers can authenticate and can create namespaces in Kubernetes, but attempts to create LoadBalancer-type Services never receive an external IP. Which configuration is MOST likely missing?

Security requires that Kubernetes authentication be centralized and that access to a Supervisor Namespace be granted based on enterprise group membership. Which approach best meets this requirement?

An organization wants to restrict developers so they can only deploy containers from an approved registry and must prevent the use of untrusted images across all namespaces. Which is the BEST solution within Kubernetes governance controls?

A mission-critical Tanzu Kubernetes cluster must remain available during a single ESXi host failure. The current design uses a small number of hosts and the Supervisor control plane VMs are clustered. Which additional design choice MOST directly improves workload availability for cluster nodes during host failure?