Linux Foundation Real Dumps Practice Exam Questions by Dumpswarp

Certified Kubernetes Administrator (CKA) Program Questions and Answers

Question 1

You must connect to the correct host.

Failure to do so may result in a zero score.

[candidate@base] $ ssh Cka000055

Task

Verify the cert-manager application which has been deployed to your cluster .

Using kubectl, create a list of all cert-manager Custom Resource Definitions (CRDs ) and save it

to ~/resources.yaml .

You must use kubectl 's default output format.

Do not set an output format.

Failure to do so will result in a reduced score.

Using kubectl, extract the documentation for the subject specification field of the Certificate Custom Resource and save it to ~/subject.yaml.

Options:

Question 2

Score: 4%

Task

Create a pod named kucc8 with a single app container for each of the following images running inside (there may be between 1 and 4 images specified): nginx + redis + memcached .

Options:

Question 3

Task

Create a new HorizontalPodAutoscaler (HPA ) named apache-server in the autoscale

namespace. This HPA must target the existing Deployment called apache-server in the

autoscale namespace.

Set the HPA to aim for 50% CPU usage per Pod . Configure it to have at least 1 Pod and no more than 4 Pods . Also, set the downscale stabilization window to 30 seconds.

Options:

Question 4

Scale the deployment webserver to 6 pods.

Options:

Question 5

You must connect to the correct host.

Failure to do so may result in a zero score.

[candidate@base] $ ssh Cka000051

Context

You manage a WordPress application. Some Pods are not starting because resource requests are too high. Your task Is to prepare a Linux system for Kubernetes . Docker is already installed, but you need to configure it for kubeadm .

Task

Complete these tasks to prepare the system for Kubernetes :

Set up cri-dockerd :

. Install the Debian package

~/cri-dockerd_0.3.9.3-0.ubuntu-jammy_am

d64.deb

Debian packages are installed using

dpkg .

. Enable and start the cri-docker service

Configure these system parameters:

. Set net.bridge.bridge-nf-call-iptables to 1

Options:

Answer:

See the solution below.

Explanation:

Task Summary

You are given a host to prepare for Kubernetes:

Use dpkg to install cri-dockerd

Enable and start the cri-docker service

Set net.bridge.bridge-nf-call-iptables to 1 via sysctl

Step-by-Step Instructions

1️⃣ SSH into the correct node

bash

CopyEdit

ssh cka000051

⚠️ Required — failure to connect to the correct host = zero score.

2️⃣ Install cri-dockerd

You are told the .deb file is already located at:

bash

CopyEdit

~/cri-dockerd_0.3.9.3-0.ubuntu-jammy_amd64.deb

Install it with dpkg:

bash

CopyEdit

sudo dpkg -i ~/cri-dockerd_0.3.9.3-0.ubuntu-jammy_amd64.deb

???? If any dependencies are missing (e.g., golang or containerd), you might need:

bash

CopyEdit

sudo apt-get install -f -y

But usually, the exam system provides a pre-validated .deb environment.

3️⃣ Enable and start cri-docker service

Start and enable both services:

bash

CopyEdit

sudo systemctl enable cri-docker.service

sudo systemctl enable --now cri-docker.socket

sudo systemctl start cri-docker.service

Check status (optional but smart):

bash

CopyEdit

sudo systemctl status cri-docker.service

You should see it active (running).

4️⃣ Configure the sysctl parameter

Set net.bridge.bridge-nf-call-iptables=1 immediately and persistently.

Step A: Apply immediately:

sudo sysctl net.bridge.bridge-nf-call-iptables=1

Step B: Persist it in /etc/sysctl.d:

Create or modify a file:

echo "net.bridge.bridge-nf-call-iptables = 1" | sudo tee /etc/sysctl.d/k8s.conf

Reload sysctl:

sudo sysctl --system

Verify:

sysctl net.bridge.bridge-nf-call-iptables

Should return:

net.bridge.bridge-nf-call-iptables = 1

✅ Now the system is ready for kubeadm with Docker (via cri-dockerd)!

ssh cka000051

sudo dpkg -i ~/cri-dockerd_0.3.9.3-0.ubuntu-jammy_amd64.deb

sudo systemctl enable cri-docker.service

sudo systemctl enable --now cri-docker.socket

sudo systemctl start cri-docker.service

sudo sysctl net.bridge.bridge-nf-call-iptables=1

echo "net.bridge.bridge-nf-call-iptables = 1" | sudo tee /etc/sysctl.d/k8s.conf

sudo sysctl --system

Question 6

You must connect to the correct host.

Failure to do so may result in a zero score.

[candidate@base] $ ssh Cka000054

Context:

Your cluster 's CNI has failed a security audit. It has been removed. You must install a new CNI

that can enforce network policies.

Task

Install and set up a Container Network Interface (CNI ) that meets these requirements:

Pick and install one of these CNI options:

· Flannel version 0.26.1

Manifest:

· Calico version 3.28.2

Manifest:

calico/calico/v3.28.2/manifests/tigera-operator.yaml

Options:

Question 7

Task Weight: 4%

Task

Scale the deployment webserver to 3 pods.

Options:

Question 8

Create a deployment as follows:

Name: nginx-random

Exposed via a service nginx-random

Ensure that the service and pod are accessible via their respective DNS records

The container(s) within any pod(s) running as a part of this deployment should use the nginx Image

Next, use the utility nslookup to look up the DNS records of the service and pod and write the output to /opt/KUNW00601/service.dns and /opt/KUNW00601/pod.dns respectively.

Options:

Question 9

List all the pods sorted by created timestamp

Options:

Question 10

Create a pod with image nginx called nginx and allow traffic on port 80

Options:

Question 11

Create and configure the service front-end-service so it's accessible through NodePort and routes to the existing pod named front-end.

Options:

Question 12

Create 2 nginx image pods in which one of them is labelled with env=prod and another one labelled with env=dev and verify the same.

Options:

Question 13

Score: 4%

Task

Schedule a pod as follows:

• Name: nginx-kusc00401

• Image: nginx

• Node selector: disk=ssd

Options:

Question 14

Task

Create a new Ingress resource as follows:

. Name: echo

. Namespace : sound-repeater

. Exposing Service echoserver-service on

using Service port 8080

The availability of Service

echoserver-service can be checked

using the following command, which should return 200 :

[candidate@cka000024] $ curl -o /de v/null -s -w "%{http_code}\n"

Options:

Question 15

Score: 4%

Task

Check to see how many nodes are ready schedulable (not including nodes tainted NoSchedule ) and write the number to /opt/KUSC00402/kusc00402.txt.

Options:

Question 16

You must connect to the correct host.

Failure to do so may result in a zero score.

[candidate@base] $ ssh Cka000056

Task

Review and apply the appropriate NetworkPolicy from the provided YAML samples.

Ensure that the chosen NetworkPolicy is not overly permissive, but allows communication between the frontend and backend Deployments, which run in the frontend and backend namespaces respectively.

First, analyze the frontend and backend Deployments to determine the specific requirements for the NetworkPolicy that needs to be applied.

Next, examine the NetworkPolicy YAML samples located in the ~/netpol folder.

Failure to comply may result in a reduced score.

Do not delete or modify the provided samples. Only apply one of them.

Finally, apply the NetworkPolicy that enables communication between the frontend and backend Deployments, without being overly permissive.

Options:

Answer:

See the solution below.

Explanation:

Task Summary

Connect to host cka000056

Review existing frontend and backend Deployments

Choose one correct NetworkPolicy from the ~/netpol directory

The policy must:

Allow traffic only from the frontend Deployment to the backend Deployment

Avoid being overly permissive

Apply the correct NetworkPolicy without modifying any sample files

Step-by-Step Instructions

Step 1: SSH into the correct node

ssh cka000056

Step 2: Inspect the frontend Deployment

Check the labels used in the frontend Deployment:

kubectl get deployment -n frontend -o yaml

Look under metadata.labels or spec.template.metadata.labels. Note the app or similar label (e.g., app: frontend).

Step 3: Inspect the backend Deployment

kubectl get deployment -n backend -o yaml

Again, find the labels assigned to the pods (e.g., app: backend).

Step 4: List and review the provided NetworkPolicies

List the available files:

ls ~/netpol

Check the contents of each policy file:

cat ~/netpol/.yaml

Look for a policy that:

Has kind: NetworkPolicy

Applies to the backend namespace

Uses a podSelector that matches the backend pods

Includes an ingress.from rule that references the frontend namespace using a namespaceSelector (and optionally a podSelector)

Does not allow traffic from all namespaces or all pods

Here’s what to look for in a good match:

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

namespace: backend

spec:

podSelector:

matchLabels:

app: backend

ingress:

- from:

- namespaceSelector:

matchLabels:

Even better if the policy includes:

- namespaceSelector:

matchLabels:

podSelector:

matchLabels:

app: frontend

This limits access to pods in the frontend namespace with a specific label.

Step 5: Apply the correct NetworkPolicy

Once you’ve identified the best match, apply it:

kubectl apply -f ~/netpol/.yaml

Apply only one file. Do not alter or delete any existing sample.

ssh cka000056

kubectl get deployment -n frontend -o yaml

kubectl get deployment -n backend -o yaml

ls ~/netpol

cat ~/netpol/*.yaml # Review carefully

kubectl apply -f ~/netpol/.yaml

Command Summary

ssh cka000056

kubectl get deployment -n frontend -o yaml

kubectl get deployment -n backend -o yaml

ls ~/netpol

cat ~/netpol/*.yaml # Review carefully

kubectl apply -f ~/netpol/.yaml

Question 17

Monitor the logs of pod foo and:

Extract log lines corresponding to error

unable-to-access-website

Write them to/opt/KULM00201/foo

Options:

Question 18

Perform the following tasks:

Add an init container to hungry-bear (which has been defined in spec file /opt/KUCC00108/pod-spec-KUCC00108.yaml)

The init container should create an empty file named/workdir/calm.txt

If /workdir/calm.txt is not detected, the pod should exit

Once the spec file has been updated with the init container definition, the pod should be created

Options:

Question 19

Create a nginx pod with label env=test in engineering namespace

Options:

Question 20

You must connect to the correct host.

Failure to do so may result in a zero score.

[candidate@base] $ ssh Cka000047

Task

A MariaDB Deployment in the mariadb namespace has been deleted by mistake. Your task is to restore the Deployment ensuring data persistence. Follow these steps:

Create a PersistentVolumeClaim (PVC ) named mariadb in the mariadb namespace with the

following specifications:

Access mode ReadWriteOnce

Storage 250Mi

You must use the existing retained PersistentVolume (PV ).

Failure to do so will result in a reduced score.

There is only one existing PersistentVolume .

Edit the MariaDB Deployment file located at ~/mariadb-deployment.yaml to use PVC you

created in the previous step.

Apply the updated Deployment file to the cluster.

Ensure the MariaDB Deployment is running and stable.

Options:

Answer:

See the solution below.

Explanation:

Task Overview

You're restoring a MariaDB deployment in the mariadb namespace with persistent data.

✅ Tasks:

SSH into cka000047

Create a PVC named mariadb:

Namespace: mariadb

Access mode: ReadWriteOnce

Storage: 250Mi

Use the existing retained PV (there’s only one)

Edit ~/mariadb-deployment.yaml to use the PVC

Apply the deployment

Verify MariaDB is running and stable

Step-by-Step Solution

1️⃣ SSH into the correct host

ssh cka000047

⚠️ Required — skipping = zero score

2️⃣ Inspect the existing PersistentVolume

kubectl get pv

✅ Identify the only existing PV, e.g.:

NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS

mariadb-pv 250Mi RWO Retain Available manual

Ensure the status is Available, and it is not already bound to a claim.

3️⃣ Create the PVC to bind the retained PV

Create a file mariadb-pvc.yaml:

cat < mariadb-pvc.yaml

apiVersion: v1

kind: PersistentVolumeClaim

metadata:

namespace: mariadb

spec:

accessModes:

- ReadWriteOnce

resources:

requests:

storage: 250Mi

volumeName: mariadb-pv # Match the PV name exactly

EOF

Apply the PVC:

kubectl apply -f mariadb-pvc.yaml

✅ This binds the PVC to the retained PV.

4️⃣ Edit the MariaDB Deployment YAML

Open the file:

nano ~/mariadb-deployment.yaml

Look under the spec.template.spec.containers.volumeMounts and spec.template.spec.volumes sections and update them like so:

Add this under the container:

yaml

CopyEdit

volumeMounts:

- name: mariadb-storage

mountPath: /var/lib/mysql

And under the pod spec:

volumes:

- name: mariadb-storage

persistentVolumeClaim:

claimName: mariadb

✅ These lines mount the PVC at the MariaDB data directory.

5️⃣ Apply the updated Deployment

kubectl apply -f ~/mariadb-deployment.yaml

6️⃣ Verify the Deployment is running and stable

kubectl get pods -n mariadb

kubectl describe pod -n mariadb

✅ Ensure the pod is in Running state and volume is mounted.

???? Final Command Summary

ssh cka000047

kubectl get pv # Find the retained PV

# Create PVC

cat < mariadb-pvc.yaml

apiVersion: v1

kind: PersistentVolumeClaim

metadata:

namespace: mariadb

spec:

accessModes:

- ReadWriteOnce

resources:

requests:

storage: 250Mi

volumeName: mariadb-pv

EOF

kubectl apply -f mariadb-pvc.yaml

# Edit Deployment

nano ~/mariadb-deployment.yaml

# Add volumeMount and volume to use the PVC as described

kubectl apply -f ~/mariadb-deployment.yaml

kubectl get pods -n mariadb

Question 21

Get list of all the pods showing name and namespace with a jsonpath expression.

Options:

Question 22

Get IP address of the pod – “nginx-dev”

Options:

Question 23

Create a Kubernetes secret as follows:

Name: super-secret

password: bob

Create a pod named pod-secrets-via-file, using the redis Image, which mounts a secret named super-secret at /secrets.

Create a second pod named pod-secrets-via-env, using the redis Image, which exports password as CONFIDENTIAL

Options:

Question 24

Score:7%

Context

An existing Pod needs to be integrated into the Kubernetes built-in logging architecture (e. g. kubectl logs). Adding a streaming sidecar container is a good and common way to accomplish this requirement.

Task

Add a sidecar container named sidecar, using the busybox Image, to the existing Pod big-corp-app. The new sidecar container has to run the following command:

/bin/sh -c tail -n+1 -f /va r/log/big-corp-app.log

Use a Volume, mounted at /var/log, to make the log file big-corp-app.log available to the sidecar container.

Options:

Load More CKA Questions

Summer Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: wrap60

Dumpswrap Top Menu

breadcrumb

Linux Foundation CKA Dumps

CKA Free PDF Questions

Certified Kubernetes Administrator (CKA) Program Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CKA Free PDF Answers

Dumpswrap Footer Menu