cka exam questions Practice Exam 2025: Latest Questions

You need to view and modify cluster-wide authentication and authorization settings. Which Kubernetes component is primarily responsible for enforcing authorization decisions (e.g., RBAC) for API requests?

A Pod must run on a specific node because it requires a locally attached GPU. Which scheduling mechanism is the simplest and most direct way to ensure the Pod is placed on that exact node?

You want to expose a set of Pods internally within the cluster under a stable virtual IP and DNS name. Which Kubernetes Service type should you use?

A cluster uses PersistentVolumes backed by a network storage system. You need a Pod to keep its data even if the Pod is deleted and re-created. Which Kubernetes object should the Pod reference to achieve this?

A Deployment’s Pods are stuck in Pending. Running `kubectl describe pod` shows: `0/5 nodes are available: 5 node(s) had taint {dedicated=infra:NoSchedule}.` You want these Pods to run on those nodes. What should you add to the Pod spec?

Pods in namespace `dev` cannot resolve DNS names (e.g., `kubernetes.default`). Other namespaces work. CoreDNS Pods are Running. Which is the most likely Kubernetes resource misconfiguration causing only `dev` to fail DNS resolution?

You must harden control-plane access so that only a dedicated admin host can reach the Kubernetes API server. You cannot change cloud firewall rules, only in-cluster config and node settings. Which configuration best achieves this goal?

A StatefulSet uses volumeClaimTemplates. You scale the StatefulSet down from 3 replicas to 0 and then back to 3. What happens to the PersistentVolumeClaims created from the volumeClaimTemplates?

A node shows `NotReady`. `kubectl describe node` reports `NetworkPluginNotReady: cni config uninitialized`. Pods scheduled to the node are stuck in `ContainerCreating`. Which action is the most appropriate first step to restore scheduling and pod networking on that node?

Your cluster’s Services work, but traffic to a particular Service intermittently fails. `kubectl get endpoints` shows the expected Pod IPs. `kubectl describe pod` for one backend shows the container is Running but the Service still sends traffic to it during startup, causing errors. What is the best Kubernetes-native way to prevent the Service from routing traffic to that Pod until it is truly ready?

You need to allow a Pod to resolve DNS names for Services in its own namespace and for fully qualified cluster names (e.g., mysvc.myns.svc.cluster.local). Which component is primarily responsible for providing this DNS service inside the cluster?

A Deployment is failing to create Pods because the nodes are at their maximum Pod density and scheduling is blocked. Which change is the most appropriate immediate fix to allow the workload to schedule, assuming adding new nodes is not possible?

You created a new StorageClass with dynamic provisioning, but newly created PVCs remain in Pending. The external CSI controller is running. Which is the most likely reason?

A cluster has two Ingress controllers (nginx and traefik). An Ingress resource is being ignored by nginx and handled by traefik. What is the recommended way to ensure the Ingress is processed by nginx?

You are troubleshooting a Pod that cannot reach a ClusterIP Service. DNS resolves correctly, but connections time out. You suspect kube-proxy is not programming rules on one node. Which command provides the most direct evidence that kube-proxy is failing on that node?

A Pod uses a PersistentVolumeClaim and fails with a multi-attach error when rescheduled to a different node during maintenance. The workload is a single-replica database. What is the best explanation for this behavior?

Your team wants to ensure that a set of Pods is spread across nodes to improve availability, but strict anti-affinity is causing scheduling failures when the cluster is small. Which approach best balances availability and schedulability?

You are asked to bootstrap a highly available control plane with multiple API server instances behind a stable endpoint. Which design is recommended for the stable endpoint that kubelets and administrators use to reach the API server?

A NetworkPolicy is applied to restrict ingress to Pods labeled app=payments. After applying it, all traffic is blocked, including from the namespace's ingress controller that should be allowed. What is the most likely cause?

During an incident, you notice that some kube-system components are repeatedly restarting. You suspect the node is under disk pressure and kubelet is evicting Pods. Which observation most directly confirms eviction due to disk pressure?

A Pod must run on every node (including control-plane nodes) to collect node-level logs. The cluster has a default NoSchedule taint on control-plane nodes. The logging Pod is managed by a DaemonSet. What is the BEST way to ensure the DaemonSet runs on control-plane nodes as well?

A workload uses a PersistentVolumeClaim (PVC) with access mode ReadWriteOnce and is deployed as a Deployment with 3 replicas. Only one replica becomes Running; the others remain Pending due to volume attachment conflicts. What is the MOST appropriate fix?

Users report that DNS lookups from Pods are failing intermittently, but only when querying service names (e.g., mysvc.myns.svc.cluster.local). Direct IP connectivity between Pods works. Which component should you check FIRST?

A node repeatedly flips between Ready and NotReady. kubelet logs show it cannot update the Node status because it fails to contact the API server. Pods on the node still have local connectivity. Which troubleshooting action is MOST likely to confirm the root cause quickly?

A cluster uses a PodSecurity admission policy that enforces restricted settings in a namespace. You need to run a one-off troubleshooting Pod that requires hostNetwork and access to the node filesystem via hostPath. What is the BEST practice approach to do this while minimizing security impact?