50 cka exam questions Practice Questions: Question Bank 2025

You need to create a new namespace called 'production' and set resource quotas to limit the namespace to a maximum of 10 pods. Which commands should you execute?

A pod in your cluster is stuck in the 'Pending' state. When you describe the pod, you see the event message: '0/3 nodes are available: 3 Insufficient cpu'. What is the most appropriate action to resolve this issue?

You need to expose a deployment named 'webapp' on port 8080 internally within the cluster. The deployment has the label 'app=webapp'. Which command accomplishes this?

You need to configure a pod to mount a ConfigMap named 'app-config' as environment variables. Which pod specification accomplishes this correctly?

Your application requires persistent storage that can be accessed by multiple pods simultaneously with read-write access. Which access mode and volume type combination would be most appropriate?

You are troubleshooting a cluster where pods cannot communicate with the API server. The kubelet logs show 'unable to authenticate the request due to an error: x509: certificate has expired'. What is the most likely solution?

You need to ensure that a critical system pod runs on every node in the cluster, including master nodes, even if the nodes are marked as unschedulable. What Kubernetes resource should you use?

An application pod needs to communicate with an external database that uses a non-standard port and has a static IP address outside the cluster. What is the best practice for configuring this connectivity?

Your organization requires that all pods in the 'secure' namespace must run as non-root and cannot escalate privileges. You need to enforce this at the namespace level. Which approach should you implement?

You are investigating why a newly deployed application cannot resolve DNS names. You verify that CoreDNS pods are running. Using 'kubectl exec' to run 'nslookup kubernetes.default' from the application pod fails, but 'nslookup kubernetes.default <coredns-service-ip>' succeeds. What is the most likely cause?

You need to configure a Pod to use a specific ServiceAccount for authentication with the Kubernetes API. The ServiceAccount is named 'app-sa' and exists in the 'production' namespace. Which configuration should you add to the Pod specification?

A DaemonSet is not scheduling Pods on two of your worker nodes that have the taint 'maintenance=true:NoSchedule'. You need the DaemonSet Pods to run on these nodes as well. What is the most appropriate solution?

You are troubleshooting a Service that is not routing traffic to its backend Pods. When you run 'kubectl get endpoints <service-name>', the ENDPOINTS column shows '<none>'. What is the most likely cause?

Your application requires persistent storage that can be accessed by multiple Pods simultaneously with read-write access. Which access mode must the PersistentVolume support?

A Pod in your cluster is stuck in 'CrashLoopBackOff' state. You check the logs with 'kubectl logs' but see no output. What is the best next troubleshooting step?

You need to upgrade a Kubernetes cluster from version 1.26 to 1.28. What is the recommended upgrade path according to Kubernetes best practices?

You have configured a NetworkPolicy to allow ingress traffic to Pods with label 'app=web' only from Pods with label 'app=frontend'. However, the frontend Pods still cannot connect to the web Pods. What could be the issue?

You need to drain a node for maintenance, but one Pod protected by a PodDisruptionBudget (PDB) is preventing the drain operation. The error indicates that evicting the Pod would violate the PDB. What is the appropriate action?

Your application Pods need to resolve a legacy external service using a custom DNS name that differs from the actual external hostname. What Kubernetes resource should you create to accomplish this?

You are investigating why the etcd cluster is experiencing performance issues. Which metric would be most critical to examine for identifying slow disk performance affecting etcd?

You need to create a NetworkPolicy that allows traffic only from pods with the label 'role=frontend' to pods with the label 'app=backend' on port 8080. Which NetworkPolicy specification correctly implements this requirement?

A StatefulSet pod named 'database-0' is stuck in Pending state. Upon investigation, you see the error 'pod has unbound immediate PersistentVolumeClaims'. What is the most likely cause and solution?

You need to schedule a DaemonSet only on nodes that have SSD storage. The nodes are labeled with 'disktype=ssd'. What should you configure in the DaemonSet specification?

Your Kubernetes cluster's etcd is experiencing performance issues. You need to verify the etcd cluster health and identify if there are any leader election problems. Which command would you use?

You want to ensure that pods in namespace 'production' can only use the StorageClass named 'fast-ssd' by default when they don't specify a storageClassName. How would you configure this?

A critical application deployment is experiencing intermittent connection timeouts. You discover that some pods are being scheduled on nodes with high network latency. What scheduling feature should you implement to prefer nodes in specific availability zones with lower latency?

After upgrading the control plane nodes, kubectl commands are failing with 'Unable to connect to the server: x509: certificate signed by unknown authority'. What is the most likely cause?

You need to configure a Service to expose an application that requires session affinity so that clients are always routed to the same pod. What configuration should you add to the Service specification?

Your organization requires that all pods in the cluster must run as non-root users and cannot use privileged containers. Which combination of admission controllers and policies would enforce this requirement cluster-wide?

A node in your cluster has been drained for maintenance using 'kubectl drain', but the drain command is stuck because one pod cannot be evicted. The pod is not managed by a controller. What flag must you add to the drain command to proceed?

You need to configure a Pod to use a specific ServiceAccount that has been created in the same namespace. The ServiceAccount is named 'app-reader'. Which field should you add to the Pod specification?

A Pod is in CrashLoopBackOff state. When you run 'kubectl logs <pod-name>', you see an error message but it's from a previous instance of the container. How can you view logs from the current failing container instance?

You need to temporarily prevent new Pods from being scheduled on a node named 'worker-03' while keeping existing Pods running. What command should you use?

An application requires specific kernel parameters to be set on the host node. How should you configure this in a Pod specification?

You have a StatefulSet with 3 replicas. After a node failure, one Pod is stuck in Pending state because the PersistentVolume is still attached to the failed node. What is the recommended approach to resolve this?

You need to expose a Deployment on port 8080 internally within the cluster. Pods should be able to access it using a stable DNS name. What type of Service should you create?

A critical application Pod needs guaranteed CPU and memory resources. The application requires 2 CPU cores and 4Gi of memory. How should you configure the resource requirements?

You need to configure network policies to allow traffic only from Pods with label 'app=frontend' to Pods with label 'app=backend' on port 5432. All other ingress traffic to backend Pods should be denied. What should your NetworkPolicy include?

Your cluster uses a custom StorageClass with volumeBindingMode set to WaitForFirstConsumer. A PVC has been created but remains in Pending state. What is the most likely reason and solution?

You need to perform a rolling update of a Deployment with zero downtime. The Deployment has 4 replicas, and you want to ensure at least 3 replicas are always available during the update. Which rolling update strategy configuration should you use?

You need to configure a Pod to use a specific DNS policy that allows it to inherit DNS resolution from the node it runs on. Which dnsPolicy value should you specify in the Pod specification?

A developer reports that a newly deployed application in namespace 'production' cannot access the Kubernetes API server. You discover the ServiceAccount is missing. What command would create a ServiceAccount named 'app-sa' in the production namespace?

You are troubleshooting a Pod that is stuck in the Pending state. After running 'kubectl describe pod', you see the event: 'pod has unbound immediate PersistentVolumeClaims'. What is the most likely cause of this issue?

Your cluster has multiple worker nodes, and you need to ensure that a DaemonSet named 'log-collector' does NOT run on nodes with the label 'node-type=edge'. What should you add to the DaemonSet specification?

You need to perform a rolling update of a Deployment but want to ensure that at least 70% of desired Pods are always available during the update. Which strategy configuration should you use?

A cluster administrator needs to backup all etcd data. The etcd cluster is running as static pods on the control plane nodes with certificates in /etc/kubernetes/pki/etcd/. Which command would create a proper snapshot?

You are configuring network policies and need to allow ingress traffic to Pods labeled 'app=database' only from Pods labeled 'app=backend' in the same namespace on port 5432. Which NetworkPolicy specification is correct?

A PersistentVolume has been manually created with a reclaim policy of 'Retain'. After the PVC bound to this PV is deleted, what happens to the PV and its data?

Your cluster's kube-apiserver is not starting after a configuration change. The kubelet logs show: 'failed to run Kubelet: unable to load client CA file /etc/kubernetes/pki/ca.crt'. You verify the file exists with correct permissions. The cluster was recently upgraded. What is the most likely cause?

You need to configure a cluster to use an external etcd cluster for high availability. The external etcd cluster has three members. What configuration must be present in the kube-apiserver manifest to connect to this external etcd cluster?