Practice questions · IT & Cloud
CKAD (CNCF): Practice Questions
Original concept-check questions for the CKAD (Certified Kubernetes Application Developer). The real exam is hands-on, so these test the underlying knowledge behind the tasks - across all the curriculum domains. Each answer is explained, including why the others are wrong. Filter by domain or difficulty. These are concept checks, not real exam questions.
Answered 0 · Correct 0
-
A Kubernetes Job:
Correct answer: B. A Job runs one or more pods to completion for a batch task, then stops. It is not a Secret (which stores sensitive data), not a Service (which routes traffic), and not a controller that runs continuously forever (that is a Deployment). -
A CronJob:
Correct answer: D. A CronJob runs a Job on a time-based schedule. It is not a Service, not an Ingress rule (which routes external HTTP traffic), and it does not provision storage. -
A 'sidecar' is:
Correct answer: C. A sidecar is a helper container (for logging, a proxy, and so on) running alongside the main container in the same pod. It is not a NetworkPolicy, a StorageClass, or a standalone node. -
An init container:
Correct answer: C. An init container runs to completion, in order, before the app containers start. It is not a Service, it runs before (not after) the app containers, and it does not replace the main container. -
An emptyDir volume:
Correct answer: C. An emptyDir volume provides ephemeral storage shared by a pod's containers and is removed when the pod is deleted. It does not persist after the pod is deleted, is not encrypted by default, and is not a remote disk. -
Container images used by a pod are:
Correct answer: A. A pod references its container images in the pod spec, and they are pulled from a registry. Images are not created by Ingress, not stored in etcd, and not defined by a Service. -
A ConfigMap injects into a pod:
Correct answer: D. A ConfigMap injects non-secret configuration as environment variables or files. Sensitive secrets belong in a Secret, container images are pulled from a registry, and network rules come from a NetworkPolicy. -
A Secret is used to provide a pod with:
Correct answer: C. A Secret provides sensitive data such as passwords and tokens. CPU limits are set in the container resources, non-secret settings go in a ConfigMap, and an ingress route is configured by an Ingress. -
A SecurityContext on a pod or container sets:
Correct answer: A. A SecurityContext sets security settings such as the user ID and privileges (runAsUser, privileged, and similar). The container image, storage class, and service type are configured in different fields. -
To make a container run as a non-root user you:
Correct answer: B. You set runAsNonRoot or runAsUser in the SecurityContext to enforce a non-root user. Adding an Ingress, a CronJob, or a Service does not control which user the container runs as. -
A ServiceAccount provides:
Correct answer: C. A ServiceAccount provides an identity for the processes running in a pod, used for API access. DNS resolution comes from CoreDNS, an external load balancer comes from a LoadBalancer Service, and persistent storage comes from a PersistentVolume. -
Setting CPU/memory 'requests' on a container mainly affects:
Correct answer: A. Requests mainly affect scheduling, because the scheduler reserves that amount when placing the pod (limits cap usage). The container image, the namespace, and the service type are unrelated to requests. -
A rolling update on a Deployment:
Correct answer: B. A rolling update replaces pods gradually to avoid downtime. It does not cancel the deployment, it does not delete all pods then recreate them (that is the Recreate strategy), and it changes the pods, not just the namespace. -
To roll back a Deployment to its previous revision you run:
Correct answer: C. `kubectl rollout undo` reverts a Deployment to its prior revision. `kubectl taint` marks nodes, `kubectl delete` removes objects, and `kubectl scale` changes the replica count. -
A canary deployment:
Correct answer: D. A canary deployment sends a small share of traffic to the new version first, so problems are caught before a full rollout. It does not skip testing, delete the old version immediately, or send all traffic to the new version at once. -
The command 'kubectl set image' is used to:
Correct answer: C. `kubectl set image` updates a Deployment's container image, which triggers a rollout. Draining a node is `kubectl drain`, scaling is `kubectl scale`, and creating a Secret is `kubectl create secret`. -
The Deployment strategy 'Recreate':
Correct answer: A. The Recreate strategy terminates all old pods before creating new ones, which causes downtime. It is not the default (RollingUpdate is), it does not have zero downtime, and it is not limited to Jobs. -
Helm is best described as:
Correct answer: B. Helm is a package manager for Kubernetes that deploys applications via charts. It is not a monitoring tool, a network plugin, or a container runtime. -
A Service of type ClusterIP provides:
Correct answer: D. A ClusterIP Service provides a stable internal-only endpoint for pods inside the cluster. It does not provide storage, an ingress controller, or public internet access (NodePort and LoadBalancer expose externally). -
Ingress routes:
Correct answer: C. Ingress routes external HTTP/S traffic to services in the cluster. It does not handle pod-to-pod traffic only, etcd writes, or storage requests. -
A Service selects which pods to target using:
Correct answer: A. A Service selects target pods using labels matched by its selector. It does not select by node names, annotations, or namespaces alone. -
To quickly expose a Deployment as a Service you can run:
Correct answer: A. `kubectl expose` quickly creates a Service for a Deployment. `kubectl logs` shows container output, `kubectl cordon` marks a node unschedulable, and `kubectl drain` evicts pods from a node. -
A headless Service (clusterIP: None):
Correct answer: D. A headless Service returns the pods' individual IPs for direct addressing, often used for stateful apps. It does not block all traffic, act as an Ingress, or load-balance through a single cluster IP. -
A NetworkPolicy in an application context:
Correct answer: B. A NetworkPolicy restricts which pods can talk to which. It does not schedule pods, store config (that is a ConfigMap), or build images. -
A liveness probe:
Correct answer: B. A liveness probe restarts the container if the probe fails. Controlling whether a pod receives traffic is a readiness probe; provisioning storage and setting the image are unrelated. -
A readiness probe:
Correct answer: A. A readiness probe controls whether the pod receives traffic, holding it back until the pod is ready. Restarting the container on failure is a liveness probe; building the image and deleting the pod are unrelated. -
To view an application pod's logs you run:
Correct answer: C. `kubectl logs <pod>` shows a container's output for debugging. `kubectl taint` marks nodes, `kubectl scale` changes replicas, and `kubectl get pv` lists persistent volumes. -
To open an interactive shell in a running container you run:
Correct answer: A. `kubectl exec -it <pod> -- sh` opens an interactive shell in a running container. `kubectl apply` creates or updates resources, `kubectl cordon` marks a node unschedulable, and `kubectl rollout` manages rollouts. -
A startup probe is useful when:
Correct answer: C. A startup probe is useful when a slow-starting container needs time before liveness checks begin, preventing premature restarts. It is not for deleting a pod, fixing a container that never starts, or adding storage. -
Mounting a Secret as a volume rather than an environment variable:
Correct answer: A. Mounting a Secret as a volume lets it be consumed as files and can pick up updates while the pod runs, unlike env vars fixed at start. It does not encrypt the cluster, and mounting Secrets as volumes is both possible and does not disable the Secret.
Practice questions FAQ
- Are these real CKAD exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.