Practice questions · IT & Cloud
CKA (CNCF): Practice Questions
Original concept-check questions for the CKA (Certified Kubernetes Administrator). The real exam is hands-on, so these test the underlying knowledge behind the tasks - across all the curriculum domains. Each answer is explained, including why the others are wrong. Filter by domain or difficulty. These are concept checks, not real exam questions.
Answered 0 · Correct 0
-
What does etcd store in a Kubernetes cluster?
Correct answer: B. etcd is the key-value store that holds all cluster state and configuration, which is why the CKA tests backing it up and restoring it. Container images live in a registry, application logs live on the nodes, and node operating systems are installed on the machines themselves. -
In Kubernetes RBAC, permissions are granted by combining:
Correct answer: C. RBAC grants access by binding a Role or ClusterRole (the permissions) to a subject via a RoleBinding or ClusterRoleBinding. A Deployment and ReplicaSet manage pods, a ConfigMap and Secret hold data, and a Pod and Service run and expose workloads, none of which control access. -
Which tool bootstraps a Kubernetes cluster in the CKA context?
Correct answer: B. kubeadm initialises and joins cluster nodes. kubectl operates the cluster, helm packages apps, etcdctl manages etcd. -
Which control-plane component assigns pods to nodes?
Correct answer: A. The scheduler places pods on suitable nodes. The API server is the front end, the kubelet runs pods on a node, kube-proxy handles networking. -
The kube-apiserver is best described as:
Correct answer: D. The kube-apiserver is the front end of the control plane that all components talk to. It is not a storage backend (that is etcd), not a logging service, and not the pod network (provided by a CNI plugin). -
To back up Kubernetes cluster state you should:
Correct answer: D. Cluster state lives in etcd, so you snapshot etcd to back it up. Copying /var/log captures only logs, exporting all pods misses other cluster state, and restarting the kubelet does not save any state. -
A ClusterRole differs from a Role in that a ClusterRole is:
Correct answer: B. A ClusterRole is cluster-scoped and applies across all namespaces, whereas a Role is namespaced. A ClusterRole is not read-only and is not limited to pods. -
A Deployment primarily manages:
Correct answer: A. A Deployment manages ReplicaSets and performs rolling updates of pods. Nodes, network policies, and storage classes are separate resources managed elsewhere. -
A ConfigMap is used to store:
Correct answer: C. A ConfigMap stores non-secret configuration data. Sensitive passwords belong in a Secret, persistent volumes are storage objects, and container images are pulled from a registry. -
A Kubernetes Secret, by default, stores data that is:
Correct answer: D. By default a Secret stores data that is base64-encoded but not encrypted unless encryption at rest is configured. It is not plain text in logs, not encrypted automatically, and not stored on the pod's disk. -
The difference between a container's resource 'requests' and 'limits' is:
Correct answer: A. Requests are the guaranteed minimum used for scheduling; limits are the maximum the container may use. Limits are not ignored, requests do not cap usage, and the two are not identical. -
A taint on a node:
Correct answer: D. A taint repels pods that do not have a matching toleration, keeping them off the node. It does not add storage, delete the node, or expose a service. -
To scale a Deployment named web to 5 replicas you would:
Correct answer: B. `kubectl scale deployment web --replicas=5` sets the replica count to 5. `kubectl delete web` removes it, `kubectl taint web` is not valid for a Deployment, and `kubectl logs web` shows logs. -
A Service of type ClusterIP:
Correct answer: A. A ClusterIP Service exposes pods on a stable internal cluster IP, reachable only inside the cluster. Exposing to the internet is done by NodePort or LoadBalancer; provisioning storage and scheduling pods are unrelated. -
A NodePort Service exposes the service:
Correct answer: B. A NodePort Service exposes the service on a static port on every node. It does not run on etcd, work only through CoreDNS, or stay inside one pod. -
Ingress is used to:
Correct answer: B. Ingress routes external HTTP/S traffic to services in the cluster. Storing secrets is a Secret, scheduling pods is the scheduler's job, and backing up etcd is a separate task. -
A NetworkPolicy:
Correct answer: C. A NetworkPolicy controls which traffic is allowed between pods. It does not build images, provision volumes, or manage RBAC. -
CoreDNS in a cluster provides:
Correct answer: D. CoreDNS provides in-cluster DNS and service discovery, resolving service names to IPs. Storage provisioning, the container runtime, and image scanning are handled by other components. -
Because a pod's IP address is ephemeral, stable access to pods is provided by:
Correct answer: C. A Service gives a stable endpoint in front of changing pod IPs. A Node is a machine, a ConfigMap holds configuration, and an etcd snapshot is a backup, none of which provide stable pod access. -
A PersistentVolumeClaim (PVC) is:
Correct answer: D. A PVC is a pod's request for storage, which binds to a PersistentVolume. It is not a container image, a node, or a network rule. -
A StorageClass:
Correct answer: B. A StorageClass defines how storage is dynamically provisioned, describing the provisioner and parameters. It does not hold secrets, route traffic, or schedule pods. -
A PersistentVolume reclaim policy of 'Retain' means that when the PVC is deleted, the volume's data is:
Correct answer: A. With the Retain policy, deleting the PVC keeps the volume and its data for manual handling rather than removing it. It does not move the data to another node, encrypt it, or delete it immediately (that is the Delete policy). -
A PersistentVolume (PV) represents:
Correct answer: A. A PV represents a piece of cluster storage available to claim, which a PVC binds to. It is not a namespace, a pod, or a service. -
To find out why a pod will not start, the most useful first command is:
Correct answer: A. `kubectl describe pod` shows the Events that explain scheduling or start failures. `kubectl scale` changes replicas, `kubectl drain` evicts pods from a node, and `kubectl delete pod` removes the pod without diagnosing anything. -
To view the logs of a container in a pod you run:
Correct answer: B. `kubectl logs <pod>` streams a container's output. `kubectl get nodes` lists nodes, `kubectl cordon` marks a node unschedulable, and `kubectl taint` adds a taint to a node. -
A pod stuck in 'Pending' usually means:
Correct answer: C. Pending means the scheduler cannot place it. CrashLoopBackOff/ImagePullBackOff describe other failures. -
'CrashLoopBackOff' indicates that a container is:
Correct answer: B. CrashLoopBackOff means the container is repeatedly starting and crashing, with a growing back-off between restarts. It is not terminating gracefully, pulling its image (that is ImagePullBackOff), or pending scheduling. -
If a node shows status 'NotReady', the component to check first is:
Correct answer: A. NotReady usually points to a problem with the kubelet on that node, so check it first. CoreDNS handles DNS, etcd stores state, and the Ingress controller routes traffic, none of which set node readiness. -
'ImagePullBackOff' means Kubernetes:
Correct answer: D. ImagePullBackOff means Kubernetes cannot pull the container image, usually due to a bad name, missing auth, or an unreachable registry. It is not about missing storage, a lost network policy, or being unable to reach etcd. -
To run a command inside a running container you use:
Correct answer: A. `kubectl exec` runs a command (or shell) inside a running container. `kubectl scale` changes replicas, `kubectl cordon` marks a node unschedulable, and `kubectl apply` creates or updates resources.
Practice questions FAQ
- Are these real CKA exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.