Certified Kubernetes Administrator (CKA) Practice Exam with well-explained answers.
🚀 Ace your CKA-certified Kubernetes administrator exam with the exam bundle from The Linux Foundation 👉 Visit Now!
- You have five Linux EC2 instances running in AWS. You use kubeadm to create a single master cluster with four worker nodes. The output of
kubectl get nodesonly displays the master and three worker nodes. Which of the following commands could result in the final worker node being displayed in the list of nodes?
A.kubedm join
B.kubectl get nodes — all-namespaces
C.systemctl restart kubelet
D.kubectl uncordon
2. Your supervisor has asked you to debug a pod that is crashing. What command would be beneficial during this process?
A.kubectl create -f
B.kubectl get nodes -o
C.kubectl logs
D.docker pull
3. Which Kubernetes ServiceType leads to no proxying of any kind being set up in your cluster? Select one answer
A.ClusterIP
B.NodePort
C.LoadBalancer
D.ExternalName
4. You are designing a Kubernetes cluster to be used for production workloads. You want to ensure that the cluster is highly available. Which of the following will help you achieve the goal of high availability for the cluster?
A.Include a load balancer for kube-apiserver traffic
B.Include multiple master nodes
C.Include an etcd cluster
D.Include a default scheduler and a custom scheduler
5. Service accounts are tied to a set of credentials stored as ____, which are mounted into pods allowing in cluster processes to talk to the Kubernetes API. Select one answer
A.Crumbs
B.Nodes
C.Secrets
D.Tokens
6. To update a service without an outage, kubectl supports what is called ____.
A. high availability (HA) deployment
B.rolling update
C.automatic-hot failover
D.automatic-warm failover
7. As the Kubernetes administrator in your company you have been notified that the Kubernetes cluster that you administer has been behaving strangely. A team member has told you they suspect one of the cluster’s master components is at fault. How can you quickly check on the status of the master components?
A.Check the output of systemctl status for each component
B.Check the output of kubectl get component statuses
C.Check the output of kubeadm upgrade plan
D.Check the output of kubectl get node $master_node
8. You want to configure client certificate authentication on your Kubernetes cluster manually. What tools can you use for this task? (Choose 2 answers)
A.easyrsa
B.openssl
C.gpg
D.oidc
9. You have been pre-creating persistent volumes for a Kubernetes cluster, but as demand increases, you prefer to have persistent volumes automatically created whenever a persistent volume claim requests a persistent volume. What do you need to do to enable this kind of dynamic provisioning of persistent volumes in the cluster?
A.Create a StorageClass and ensure PersistentVolumeClaim resources refer to it
B.Ensure PersistentVolume resources are of type dynamic
C.Mount PersistentVolume resources using the dynamic access mode
D.Ensure the reclaim policy of PersistentVolume resources is set to automatic
10. What does it mean to say that Kubernetes supports automatic resource bin packing?
A. It automatically places containers based on their resource requirements and other constraints.
B. It scales applications up and down based on CPU usage.
C. It automatically mounts the storage system of your choice.
D.It gives containers their own IP addresses and a single DNS name for a set of containers, and can load-balance across them.
11.____ is responsible for implementing a form of virtual IP for Services of type other than ExternalName.
A.kube-proxy
B.kubectl
C.kubeadm
D.minikube
12.____ provide load balancing across a set of pods.
A.Clusters
B.Controllers
C.Services
D.Endpoints
13. As the Kubernetes administrator at a startup you need to update operating system packages, including Kubernetes packages, on the servers running your Kubernetes cluster. You have created a plan defining the order and how many nodes are allowed to be updated at a time. You need to make sure that pods are gracefully scheduled onto new nodes when a node is updated.
Which command will you use before updating a node, and which command will you use after updates are complete? (Choose 2 answers)
A.kubectl drain <node_name>
B.kubectl uncordon <node_name>
C.sudo systemctl stop kubelet
D.sudo kubeadm upgrade apply
14. An intern has been given admin access to the Kubernetes cluster that you administer. They accidentally modified and deleted several Kubernetes resources. What command can you use to roll back the cluster to an earlier state?
A.etcdctl snapshot restore
B.kubectl rollback
C.kubeadm reset
D.kubectl restore
15. A ____ is a higher-level controller that automates rolling updates of applications declaratively.
A.Scheduler
B.FailoverController
C.Deployment
D.HAmaster
16. As a Kubernetes administrator you have a multi-node production Kubernetes cluster running on EC2 instances in AWS. A developer has informed you that a single pod application works correctly when using Minikube even if the pod is deleted and rescheduled, but appears to lose all of its data when the pod is rescheduled in production. What is a possible explanation for this?
A. The pod uses a HostPath persistent volume
B. The pod uses a persistent volume with ReadWriteOnce access mode
C. The pod’s container is not running in privileged mode
D. The pod uses a tmpfs (RAM-backed filesystem) volume
17. Your CTO has requested that you start backing up your Kubernetes cluster state daily. You prefer to use Kubernetes to accomplish the task. What kind of Kubernetes resource will you use, and what command will run in a container to back up the data?
A.Job and etcdctl
B.Deployment and rsync
C.CronJob and etcdctl
D.Deployment and etcdctl
18. You have noticed that you cannot connect to a service, and then begin a debugging process through which you notice the following:
- The connection is immediately dropped
- There are endpoints in the endpoints list
- The pod’s containerPort matches up with the Service’s containerPort
What is a likely cause for this problem?
A. The right ports are not exposed.
B.An error in the pod description was silently ignored when the pod was created.
C.There was a failure to pull the image (due to, for example, using an incorrect image name).
D.The proxy can’t contact the pod.
19. What is a Kubernetes cluster service discovery/DNS provider that can be configured automatically by kubeadm?
A.Kube DNS
B.CoreDNS
C.OpenDNS
D.BIND
20. A colleague has asked for your recommendation on how/where to record or store client library information that is useful for debugging purposes, like name, version, and build info. What would you recommend?
A. Store it in a namespace.
B.Store in the pod logs.
C. Assign adequate annotations.
D.Define adequate labels.
ANSWERS WITH EXPLANATIONS
1. A- The join command initializes and joins a worker node to the cluster. The command should be executed on the instance that does not appear in the output of kubectl get nodes.
2. C- What to do when a pod is crashing or otherwise unhealthy?
First, take a look at the logs of the current container:
$ kubectl logs ${POD_NAME} ${CONTAINER_NAME}
If your container has previously crashed, you can access the previous container’s crash log with:
$ kubectl logs — previous ${POD_NAME} ${CONTAINER_NAME}
Alternately, you can run commands inside that container with exec:
$ kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} — ${CMD} ${ARG1} ${ARG2} … ${ARGN}
3.D- Kubernetes ServiceTypes allow you to specify what kind of service you want. The default is ClusterIP. Type values and their behaviors are:
- ClusterIP: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. This is the default ServiceType.
- NodePort: Exposes the service on each Node’s IP at a static port (the NodePort). A ClusterIP service, to which the NodePort service will route, is automatically created. You’ll be able to contact the NodePort service, from outside the cluster, by requesting <NodeIP>:<NodePort>.
- LoadBalancer: Exposes the service externally using a cloud provider’s load balancer. NodePort and ClusterIP services, to which the external load balancer will route, are automatically created.
- ExternalName: Maps the service to the contents of the externalName field (e.g. foo.bar.example.com), by returning a CNAME record with its value. No proxying of any kind is set up. This requires version 1.7 or higher of kube-dns.
4. A, B & C- Setting up a highly available Kubernetes cluster requires multiple master nodes, load balancing API server traffic, and an etcd cluster. Adding a custom scheduler does not impact availability. Traffic for kube-proxy does not require a load balancer because each node runs it’s own replica of kube-proxy.
5. C-Service accounts are users managed by the Kubernetes API and are bound to specific namespaces. The accounts are created automatically by the API server or manually through API calls, and tied to a set of credentials stored as Secrets. These Secrets are then mounted into pods allowing in cluster processes to talk to the Kubernetes API.
6.B-To update a service without an outage, kubectl supports what is called ‘rolling update’, which updates one pod at a time, rather than taking down the entire service at the same time. Note that kubectl rolling-update only supports Replication Controllers
7. B-The output of kubectl get componentstatuses tells you the status of the cluster’s default scheduler, controller manager, and etcd data store. The status of API server is implicitly tested because kubectl will output an error message if the API server cannot be reached.
8. A & B — When using client certificate authentication, you can generate certificates using an existing deployment script or manually through easyrsa or openssl. https://kubernetes.io/docs/tasks/administer-cluster/certificates/
9. B- Dynamic provisioning of persistent volumes is made possible by creating storage classes and referring to a specific storage class in a persistent volume claim.
There is no dynamic type for PersistentVolume resources.
There is no dynamic access mode for PersistentVolume resources. Access mode relates to how many times a volume can be mounted for writing and reading.
There is no automatic reclaim policy for PersistentVolume resources. Possible values are retain, recycle, or delete. The reclaim policy relates to what happens to the PersistentVolume after it is released by a PersistentVolumeClaim.
10. A- Kubernetes supports automatic bin packing, which means that it automatically places containers based on their resource requirements and other constraints.
11.A-Every node in a Kubernetes cluster runs a kube-proxy. kube-proxy is responsible for implementing a form of virtual IP for Services of type other than ExternalName. In Kubernetes v1.0 the proxy was purely in userspace. In Kubernetes v1.1 an iptables proxy was added, but was not the default operating mode. Since Kubernetes v1.2, the iptables proxy is the default.
12.C-Services provide load balancing across a set of pods. For every Service object, the apiserver makes an endpoints resource available. You can view this resource with:
$ kubectl get endpoints ${SERVICE_NAME}
https://kubernetes.io/docs/tasks/debug-application-cluster/debug-application/
13.A & B — To update operating system packages on a node in a Kubernetes cluster, you should first drain the node using kubectl drain <node_name>. Draining gracefully evicts pods running on the node by sending a TERM (terminate) signal to the main process in each container in the pods. It also prevents any new pods from being scheduled onto the node so you can update the system. Once the updates are complete, you can allow pods to be scheduled onto the node by issuing kubectl uncordon <node_name>.
14.A- The etcdctl snapshot restore command restores an etcd snapshot to an etcd directory, in effect restoring the state of the cluster to the condition it was in at the time the backup was created.
15. C- If you deploy applications with Replication Controllers, you should consider switching them to Deployments. A Deployment is a higher-level controller that automates rolling updates of applications declaratively and therefore is recommended.
16.A- The HostPath persistent volume type should only be used on single node clusters, such as Minikube. If the pod is scheduled onto a different node the persistent volume will not find the data at the original node’s host path.
The access mode doesn’t effect the data’s persistence.
Privileged mode doesn’t impact the ability of a pod to mount a volume after being rescheduled.
A tmpfs volume could explain why data is deleted when the pod is rescheduled, but because the pod data persists on Minikube it can’t be using a tmpfs volume.
17.C- Kubernetes CronJob resources can run a job on a periodic schedule. The etcdctl command can connect to secured etcd clusters and backup the cluster state using the snapshot save command.
18.D- If you can connect to the service, but the connection is immediately dropped, and there are endpoints in the endpoints list, likely, the proxy can’t contact your pods.
There are three things to check:
- Are your pods working correctly? Look for restart count, and debug pods
- Can you connect to your pods directly? Get the IP address for the Pod, and try to connect directly to that IP
- Is your application serving on the port that you configured? Kubernetes doesn’t do port remapping, so if your application serves on 8080, the containerPort field needs to be 8080.
https://kubernetes.io/docs/user-guide/application-troubleshooting/
19.B- Kubeadm will install CoreDNS from version 1.11, when CoreDNS reach general availability (GA).
20.C-Annotations are useful to be able to attach arbitrary non-identifying metadata, for retrieval by API clients such as tools, libraries, etc. This information may be large, may be structured or unstructured, may include characters not permitted by labels, etc. Such information would not be used for object selection and therefore doesn’t belong in labels.
Also, check out the certified Kubernetes application developer practice exam
