ckad exam questions Practice Exam 2025: Latest Questions

You need to run a one-off database schema migration as part of an application release. The migration must run to completion exactly once per deployment, and the Pod should not restart on completion. Which Kubernetes object is the best fit?

A Pod needs environment variables that come from multiple keys in a ConfigMap named "app-config". You want to inject all keys as environment variables without listing each key explicitly. What should you use in the Pod spec?

You have a microservice that must only receive traffic when it is ready to serve requests (e.g., after warming caches). Which probe should you configure to control whether the Service sends traffic to the Pod?

An internal backend should be reachable only from within the cluster using a stable virtual IP and DNS name. What Service type is most appropriate?

A Deployment rollout is stuck with new Pods not becoming Ready. You suspect the readiness probe is failing. Which command is the most direct way to confirm probe failures and see the reason?

Your application requires a secret token available as a file at /var/run/secrets/app/token (not as an environment variable). You also want updates to the Secret to be reflected in the file. What is the recommended approach?

You need to ensure that every container in a namespace runs as a non-root user and cannot gain additional Linux capabilities. Which combination is the best practice to enforce this at the Pod level?

You need to expose an HTTP service externally with path-based routing (e.g., /api and /web) to different backend Services, and you want TLS termination at the edge. Which Kubernetes resource is typically used for this?

A team runs a multi-container Pod with an app container and a sidecar that tails a log file from a shared volume. Occasionally the Pod starts, but the sidecar begins tailing before the app has created the log file, causing the sidecar to crash repeatedly and trigger Pod restarts. What is the most robust Kubernetes-native fix?

A Pod must call an external API at a fixed IP, but the security team requires that only this Pod can egress to that IP and all other egress from the namespace should be denied. Assuming a CNI that enforces NetworkPolicies, what is the best solution?

You want a Pod to consume a value from a ConfigMap key named `LOG_LEVEL` as an environment variable, and you want the Pod spec to fail to create if the key is missing. Which approach best satisfies this?

A Deployment creates Pods that should only run on nodes labeled `workload=ml`. What is the simplest correct way to ensure scheduling to those nodes?

You need to pass a single command-line argument `--port=8080` to a container in a Pod. Which field is the correct place for this in the container spec?

A Pod has a livenessProbe that succeeds, but a readinessProbe that fails. What is the expected behavior of Kubernetes with respect to traffic routing and restarts?

You are troubleshooting a Pod stuck in `ImagePullBackOff` in a namespace where the image is stored in a private registry. Which fix is most appropriate?

An app needs to expose an HTTP endpoint internally in the cluster under a stable DNS name, and you want traffic spread across all matching Pods. Which resource combination is the best fit?

You need a one-off administrative task to run to completion exactly once, and it should be retried automatically if it fails. Which Kubernetes workload type is most appropriate?

You deployed a new version of a web app, but users intermittently see 502 errors during rollout. You suspect the app needs ~20 seconds after container start before it can serve requests. What change most directly prevents traffic from reaching the Pod too early?

Your cluster enforces a policy: containers must not run as root and must have a read-only root filesystem. You must update a Pod spec to comply without changing the container image. Which set of fields is most appropriate to add?

You apply a NetworkPolicy in namespace `payments` intending to allow ingress to Pods labeled `app=api` only from Pods labeled `app=frontend`. After applying it, all traffic to `app=api` is blocked, including from `frontend`. Which is the most likely cause?

A Pod has a main container and a sidecar. The main container should start serving traffic only after the sidecar has finished warming a local cache file at /cache/ready. Which approach best fits Kubernetes primitives without adding external controllers?

You need a Deployment to roll out a new image gradually: max 1 unavailable Pod during updates, allow up to 2 extra Pods above desired replicas, and automatically pause the rollout when a new Pod fails readiness checks (without manually adding a pause). Which settings best achieve this?

A backend Pod must only accept connections from a specific frontend namespace and should deny all other intra-cluster traffic by default. Which solution is most appropriate?

A Pod mounts a Secret as files. After the Secret is updated, the application should pick up the new values without a restart, but it currently keeps using the old values. What is the most likely reason?

You are designing a CronJob that must ensure only one job runs at a time. If a previous run is still executing, the next scheduled run should be skipped (not queued). Which configuration satisfies this requirement?