Linux Foundation Real Dumps Practice Exam Questions by Dumpswarp

Certified Kubernetes Application Developer (CKAD) Program Questions and Answers

Question 1

Context

You are asked to scale an existing application and expose it within your infrastructure.

First, update the Deployment nginx-deployment in the prod

namespace :

. to run 2 replicas of the Pod

. add the following label to the Pod :

role: webFrontEnd

Next, create a NodePort Service named rover in the prod namespace exposing the nginx-deployment Deployment 's Pods

Options:

Answer:

See the Explanation below for complete solution.

Explanation:

Below is an exam-style, step-by-step solution (commands + verification). Follow exactly on host ckad000.

0) Connect to the right host

ssh ckad000

(Optional but good sanity check)

kubectl config current-context

kubectl get ns

1) Inspect the existing Deployment (to know its labels/ports)

kubectl -n prod get deploy nginx-deployment

kubectl -n prod get deploy nginx-deployment -o wide

Check what labels the Pod template already has (important for the Service selector):

kubectl -n prod get deploy nginx-deployment -o jsonpath='{.spec.template.metadata.labels}{"\n"}'

Check container ports (so we expose the correct targetPort):

kubectl -n prod get deploy nginx-deployment -o jsonpath='{.spec.template.spec.containers[0].ports}{"\n"}'

If ports output is empty, it’s still often nginx on 80, but the safest is to confirm by describing a pod later.

2) Update Deployment to 2 replicas

Fastest:

kubectl -n prod scale deploy nginx-deployment --replicas=2

Verify:

kubectl -n prod get deploy nginx-deployment

3) Add label role=webFrontEnd to the Pod (Pod template label)

You must add it under:

spec.template.metadata.labels

Use a patch (quick + safe):

kubectl -n prod patch deploy nginx-deployment \

-p '{"spec":{"template":{"metadata":{"labels":{"role":"webFrontEnd"}}}}}'

Verify the Deployment template now includes it:

kubectl -n prod get deploy nginx-deployment -o jsonpath='{.spec.template.metadata.labels}{"\n"}'

Now verify the running Pods have the label (important!):

kubectl -n prod get pods --show-labels

If the label doesn’t show on pods immediately, wait for rollout:

kubectl -n prod rollout status deploy nginx-deployment

kubectl -n prod get pods --show-labels

4) Create a NodePort Service rover exposing the Deployment’s Pods

4.1 Get a reliable target port

Try to read containerPort:

kubectl -n prod get deploy nginx-deployment -o jsonpath='{.spec.template.spec.containers[0].ports[0].containerPort}{"\n"}'

If this prints a number (commonly 80), use it as --target-port.

If it prints nothing/empty, check a pod:

POD=$(kubectl -n prod get pod -l role=webFrontEnd -o jsonpath='{.items[0].metadata.name}')

kubectl -n prod describe pod "$POD" | sed -n '/Containers:/,/Conditions:/p' | sed -n '/Ports:/,/Environment:/p'

Assuming nginx is on 80 (most common), create the service:

kubectl -n prod expose deploy nginx-deployment \

--name=rover \

--type=NodePort \

--port=80 \

--target-port=80

If your nginx container port is different (e.g., 8080), change --target-port=8080 accordingly.

5) Verify Service + endpoints (critical)

kubectl -n prod get svc rover -o wide

kubectl -n prod describe svc rover

kubectl -n prod get endpoints rover -o wide

You should see 2 endpoints (matching 2 pods).

Also confirm the pods are Ready:

kubectl -n prod get pods -l role=webFrontEnd -o wide

Quick “CKAD checkpoints”

Deployment in prod has replicas=2

Pod template has label role=webFrontEnd

Service rover in prod is NodePort

Service endpoints point to the nginx pods

Question 2

Context

You have been tasked with scaling an existing deployment for availability, and creating a service to expose the deployment within your infrastructure.

Task

Start with the deployment named kdsn00101-deployment which has already been deployed to the namespace kdsn00101 . Edit it to:

• Add the func=webFrontEnd key/value label to the pod template metadata to identify the pod for the service definition

• Have 4 replicas

Next, create ana deploy in namespace kdsn00l01 a service that accomplishes the following:

• Exposes the service on TCP port 8080

• is mapped to me pods defined by the specification of kdsn00l01-deployment

• Is of type NodePort

• Has a name of cherry

Options:

Question 3

Context

A project that you are working on has a requirement for persistent data to be available.

Task

To facilitate this, perform the following tasks:

• Create a file on node sk8s-node-0 at /opt/KDSP00101/data/index.html with the content Acct=Finance

• Create a PersistentVolume named task-pv-volume using hostPath and allocate 1Gi to it, specifying that the volume is at /opt/KDSP00101/data on the cluster's node. The configuration should specify the access mode of ReadWriteOnce . It should define the StorageClass name exam for the PersistentVolume , which will be used to bind PersistentVolumeClaim requests to this PersistenetVolume.

• Create a PefsissentVolumeClaim named task-pv-claim that requests a volume of at least 100Mi and specifies an access mode of ReadWriteOnce

• Create a pod that uses the PersistentVolmeClaim as a volume with a label app: my-storage-app mounting the resulting volume to a mountPath /usr/share/nginx/html inside the pod

Options:

Question 4

You must connect to the correct host . Failure to do so may result in a zero score.

[candidate@base] $ ssh ckad00021

Task

Create a Cronjob named grep that executes a Pod running the following single container:

image: busybox:stable

command: ["grep", "-i", "nameserv

er", "/etc/resolv.conf"]

Configure the CronJob to:

execute Once every 30 minutes

keep 96 completed Job

keep 192 failed Job

never restart podsterminate pods after 8 seconds

Manually create and execute once job

named grep-test from the grep Cronjob

Options:

Question 5

Set Configuration Context:

[student@node-1] $ | kubectl

Config use-context k8s

Task

You have rolled out a new pod to your infrastructure and now you need to allow it to communicate with the web and storage pods but nothing else. Given the running pod kdsn00201 -newpod edit it to use a network policy that will allow it to send and receive traffic only to and from the web and storage pods.

Options:

Question 6

Set Configuration Context:

[student@node-1] $ | kubectl

Config use-context k8s

Context

A web application requires a specific version of redis to be used as a cache.

Task

Create a pod with the following characteristics, and leave it running when complete:

• The pod must run in the web namespace.

The namespace has already been created

• The name of the pod should be cache

• Use the Ifccncf/redis image with the 3.2 tag

• Expose port 6379

Options:

Question 7

You must connect to the correct host . Failure to do so may result in a zero score.

[candidate@base] $ ssh ckad00027

Task

A Deployment named app-deployment in namespace prod runs a web application port 0001

A Deployment named app-deployment in namespace prod runs a web application

on port 8081.

The Deployment 's manifest files can be found at

/home/candidate/spicy-pikachu/app-deployment.yaml

Modify the Deployment specifying a readiness probe using path /healthz .

Set initialDelaySeconds to 6 and periodSeconds to 3.

Options:

Question 8

Context

Anytime a team needs to run a container on Kubernetes they will need to define a pod within which to run the container.

Task

Please complete the following:

• Create a YAML formatted pod manifest

/opt/KDPD00101/podl.yml to create a pod named app1 that runs a container named app1cont using image Ifccncf/arg-output

with these command line arguments: -lines 56 -F

• Create the pod with the kubect1 command using the YAML file created in the previous step

• When the pod is running display summary data about the pod in JSON format using the kubect1 command and redirect the output to a file named /opt/KDPD00101/out1.json

• All of the files you need to work with have been created, empty, for your convenience

Options:

Question 9

Context

You must connect to the correct host . Failure to do so may result in a zero score.

[candidate@base] $ ssh ckad00043

A Deployment needs specific RBAC permissions.

Task

First, find the RBAC permissions needed by the scraper Deployment running in the

cute-panda namespace .

it kubectl logs may help you to find the permissions it needs.

Next, create a new ServiceAccount named scraper in the namespace cute-panda.

Options:

Answer:

See the Explanation below for complete solution.

Explanation:

ssh ckad00043

You have two deliverables here:

Figure out what RBAC permissions the scraper Deployment needs (the logs will usually show “Forbidden” with the missing verb/resource).

Create a ServiceAccount named scraper in namespace cute-panda (and in practice, you then bind the needed permissions to it and use it in the Deployment so it actually works).

Below is the exact CKAD-style workflow.

1) Find the missing RBAC permissions (use logs + events)

1.1 Identify the pods for the Deployment

kubectl -n cute-panda get deploy scraper

kubectl -n cute-panda get pods -l app=scraper 2>/dev/null || kubectl -n cute-panda get pods

Pick one pod name and check logs:

kubectl -n cute-panda logs deploy/scraper --tail=100

If the pod is crashlooping and logs are short:

POD=$(kubectl -n cute-panda get pods -o jsonpath='{.items[0].metadata.name}')

kubectl -n cute-panda logs "$POD" --previous --tail=200

1.2 Look specifically for “Forbidden” lines

Most apps print errors like:

... is forbidden: User "system:serviceaccount:cute-panda:default" cannot list resource "pods" in API group "" in the namespace "cute-panda"

or cannot get resource "configmaps"...

or cannot watch ...

If you don’t see it in logs, check events:

kubectl -n cute-panda get events --sort-by=.lastTimestamp | tail -n 30

1.3 Extract verb/resource/apiGroup from the error

From a typical Kubernetes RBAC “forbidden” message, capture:

verb: get/list/watch/create/update/patch/delete

resource: pods, configmaps, secrets, deployments, etc.

apiGroup: "" (core), apps, batch, etc.

namespace: cute-panda (this is a namespaced permission if it’s a Role)

You may have multiple “cannot …” lines → you need to allow all of them.

2) Create the ServiceAccount scraper (required by the task)

kubectl -n cute-panda create serviceaccount scraper

kubectl -n cute-panda get sa scraper

3) Create the RBAC objects to grant the needed permissions

The task says “A Deployment needs specific RBAC permissions” — in CKAD, that usually means: Role + RoleBinding (namespaced) bound to your new ServiceAccount.

3.1 Create a Role (template you fill from the log output)

Create scraper-role.yaml:

cat <<'EOF' > scraper-role.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

namespace: cute-panda

rules:

# EXAMPLE ONLY: replace these rules with what your logs show

- apiGroups: [""]

resources: ["pods"]

verbs: ["get","list","watch"]

EOF

Apply it:

kubectl apply -f scraper-role.yaml

3.2 Bind the Role to the ServiceAccount

kubectl -n cute-panda create rolebinding scraper-rb \

--role=scraper-role \

--serviceaccount=cute-panda:scraper

Verify:

kubectl -n cute-panda get role scraper-role

kubectl -n cute-panda get rolebinding scraper-rb -o yaml

4) Update the Deployment to use the new ServiceAccount (so it actually works)

Check current SA (likely default):

kubectl -n cute-panda get deploy scraper -o jsonpath='{.spec.template.spec.serviceAccountName}{"\n"}'

Patch it to use scraper:

kubectl -n cute-panda patch deploy scraper -p '{"spec":{"template":{"spec":{"serviceAccountName":"scraper"}}}}'

Rollout:

kubectl -n cute-panda rollout status deploy scraper

Re-check logs to confirm RBAC errors are gone:

kubectl -n cute-panda logs deploy/scraper --tail=100

Question 10

You must connect to the correct host . Failure to do so may result in a zero score.

[candidate@base] $ ssh ckad00029

Task

Modify the existing Deployment named store-deployment, running in namespace

grubworm, so that its containers

run with user ID 10000 and

have the NET_BIND_SERVICE capability added

The store-deployment 's manifest file Click to copy

/home/candidate/daring-moccasin/store-deplovment.vaml

Options:

Answer:

See the Explanation below for complete solution.

Explanation:

ssh ckad00029

You must modify the existing Deployment store-deployment in namespace grubworm so that its containers:

run as user ID 10000

have Linux capability NET_BIND_SERVICE added

And you’re told to use the manifest file at:

/home/candidate/daring-moccasin/store-deplovment.vaml (note: the filename looks misspelled; follow it exactly on the host)

1) Inspect the current Deployment and locate the manifest file

kubectl -n grubworm get deploy store-deployment

ls -l /home/candidate/daring-moccasin/

Open the manifest:

sed -n '1,200p' "/home/candidate/daring-moccasin/store-deplovment.vaml"

2) Edit the manifest to add SecurityContext

Edit the file:

vi "/home/candidate/daring-moccasin/store-deplovment.vaml"

2.1 Set Pod-level runAsUser = 10000

Under:

spec.template.spec add:

securityContext:

runAsUser: 10000

2.2 Add NET_BIND_SERVICE capability at container-level

Under the container spec (for each container in containers:), add:

securityContext:

capabilities:

add: ["NET_BIND_SERVICE"]

A complete example of what it should look like (mind indentation):

apiVersion: apps/v1

kind: Deployment

metadata:

namespace: grubworm

spec:

template:

spec:

securityContext:

runAsUser: 10000

containers:

- name: store

image: someimage

securityContext:

capabilities:

add: ["NET_BIND_SERVICE"]

Important notes:

runAsUser can be set at Pod level (applies to all containers) or per-container. Pod-level is cleanest if all containers should run as 10000.

Capabilities must be set per-container (that’s where Kubernetes supports it).

Save and exit.

3) Apply the updated manifest

kubectl apply -f "/home/candidate/daring-moccasin/store-deplovment.vaml"

4) Ensure the Deployment rolls out

kubectl -n grubworm rollout status deploy store-deployment

5) Verify the settings are in effect

Check the rendered pod template:

kubectl -n grubworm get deploy store-deployment -o jsonpath='{.spec.template.spec.securityContext}{"\n"}'

kubectl -n grubworm get deploy store-deployment -o jsonpath='{.spec.template.spec.containers[0].securityContext}{"\n"}'

Verify on a running pod:

kubectl -n grubworm get pods

kubectl -n grubworm describe pod | sed -n '/Security Context:/,/Containers:/p'

kubectl -n grubworm describe pod | sed -n '/Containers:/,/Conditions:/p'

If there are multiple containers

Repeat the container-level securityContext.capabilities.add block for each container under spec.template.spec.containers.

Question 11

Context

Your application’s namespace requires a specific service account to be used.

Task

Update the app-a deployment in the production namespace to run as the restrictedservice service account. The service account has already been created.

Options:

Question 12

Given a container that writes a log file in format A and a container that converts log files from format A to format B, create a deployment that runs both containers such that the log files from the first container are converted by the second container, emitting logs in format B.

Task:

• Create a deployment named deployment-xyz in the default namespace, that:

•Includes a primary

lfccncf/busybox:1 container, named logger-dev

•includes a sidecar Ifccncf/fluentd:v0.12 container, named adapter-zen

•Mounts a shared volume /tmp/log on both containers, which does not persist when the pod is deleted

•Instructs the logger-dev

container to run the command

which should output logs to /tmp/log/input.log in plain text format, with example values:

• The adapter-zen sidecar container should read /tmp/log/input.log and output the data to /tmp/log/output.* in Fluentd JSON format. Note that no knowledge of Fluentd is required to complete this task: all you will need to achieve this is to create the ConfigMap from the spec file provided at /opt/KDMC00102/fluentd-configma p.yaml , and mount that ConfigMap to /fluentd/etc in the adapter-zen sidecar container

Options:

Question 13

You must connect to the correct host . Failure to do so may result in a zero score.

[candidate@base] $ ssh ckad00032

The Pod for the Deployment named nosql in the haddock namespace fails to start because its Container runs out of resources.

Update the nosql Deployment so that the Container :

requests 128Mi of memory

limits the memory to half the maximum memory constraint set for the haddock namespace

Options:

Answer:

See the Explanation below for complete solution.

Explanation:

Goal: fix nosql Deployment in haddock so the container stops OOM’ing by setting:

memory request = 128Mi

memory limit = half of the namespace’s maximum memory constraint

You must do this on the correct host.

0) Connect to the correct host

ssh ckad00032

1) Confirm the failing Deployment / Pods

kubectl -n haddock get deploy nosql

kubectl -n haddock get pods -l app=nosql 2>/dev/null || kubectl -n haddock get pods

If pods are crashing, check why (you’ll likely see OOMKilled):

kubectl -n haddock describe pod

2) Find the maximum memory constraint set for the haddock namespace

In CKAD labs, this is commonly enforced by a LimitRange (max memory per container). Sometimes it can also be a ResourceQuota.

2A) Check LimitRange (most likely)

kubectl -n haddock get limitrange

kubectl -n haddock get limitrange -o yaml

Extract the max memory value quickly:

MAX_MEM=$(kubectl -n haddock get limitrange -o jsonpath='{.items[0].spec.limits[0].max.memory}')

echo "Namespace max memory constraint: $MAX_MEM"

2B) If no LimitRange exists, check ResourceQuota

kubectl -n haddock get resourcequota

kubectl -n haddock describe resourcequota

If quota is used, you’re looking for something like limits.memory (but the question wording “maximum memory constraint” usually points to LimitRange max.memory).

3) Compute “half of the max memory constraint”

Run this small snippet to compute HALF in Mi (handles Mi and Gi):

HALF_MEM=$(python3 - <<'PY'

import os, re

q = os.environ.get("MAX_MEM","").strip()

m = re.fullmatch(r"(\d+)(Mi|Gi)", q)

if not m:

raise SystemExit(f"Cannot parse MAX_MEM='{q}'. Expected like 512Mi or 1Gi.")

val = int(m.group(1))

unit = m.group(2)

# convert to Mi

mi = val if unit == "Mi" else val * 1024

half_mi = mi // 2

print(f"{half_mi}Mi")

)

echo "Half of max: $HALF_MEM"

Example: if MAX_MEM=512Mi → HALF_MEM=256Mi

Example: if MAX_MEM=1Gi → HALF_MEM=512Mi

4) Update the nosql Deployment (DO NOT delete it)

First, get the container name (Deployment may have a custom container name):

kubectl -n haddock get deploy nosql -o jsonpath='{.spec.template.spec.containers[*].name}{"\n"}'

Now set resources (this updates the Deployment in-place):

kubectl -n haddock set resources deploy nosql \

--requests=memory=128Mi \

--limits=memory=$HALF_MEM

5) Ensure the update rolls out successfully

kubectl -n haddock rollout status deploy nosql

6) Verify the pod has the right requests/limits

kubectl -n haddock get deploy nosql -o jsonpath='{.spec.template.spec.containers[0].resources}{"\n"}'

kubectl -n haddock get pods

Pick the new pod and confirm:

kubectl -n haddock describe pod | sed -n '/Requests:/,/Limits:/p'

You should see:

Requests: memory 128Mi

Limits: memory

If rollout fails (common cause)

If you accidentally set a limit above the namespace max, pods won’t start. Check events:

kubectl -n haddock describe deploy nosql

kubectl -n haddock get events --sort-by=.lastTimestamp | tail -n 20

Question 14

Set Configuration Context:

[student@node-1] $ | kubectl

Config use-context k8s

Context

A pod is running on the cluster but it is not responding.

Task

The desired behavior is to have Kubemetes restart the pod when an endpoint returns an HTTP 500 on the /healthz endpoint. The service, probe-pod, should never send traffic to the pod while it is failing. Please complete the following:

• The application has an endpoint, /started, that will indicate if it can accept traffic by returning an HTTP 200. If the endpoint returns an HTTP 500, the application has not yet finished initialization.

• The application has another endpoint /healthz that will indicate if the application is still working as expected by returning an HTTP 200. If the endpoint returns an HTTP 500 the application is no longer responsive.

• Configure the probe-pod pod provided to use these endpoints

• The probes should use port 8080

Options:

Answer:

See the solution below.

Explanation:

Solution:

To have Kubernetes automatically restart a pod when an endpoint returns an HTTP 500 on the /healthz endpoint, you will need to configure liveness and readiness probes on the pod.

First, you will need to create a livenessProbe and a readinessProbe in the pod's definition yaml file. The livenessProbe will check the /healthz endpoint, and if it returns an HTTP 500, the pod will be restarted. The readinessProbe will check the /started endpoint, and if it returns an HTTP 500, the pod will not receive traffic.

Here's an example of how you can configure the liveness and readiness probes in the pod definition yaml file:

apiVersion: v1

kind: Pod

metadata:

spec:

containers:

- name: probe-pod

image:

ports:

- containerPort: 8080

livenessProbe:

httpGet:

path: /healthz

port: 8080

initialDelaySeconds: 15

periodSeconds: 10

failureThreshold: 3

readinessProbe:

httpGet:

path: /started

port: 8080

initialDelaySeconds: 15

periodSeconds: 10

failureThreshold: 3

The httpGet specifies the endpoint to check and the port to use. The initialDelaySeconds is the amount of time the pod will wait before starting the probe. periodSeconds is the amount of time between each probe check, and the failureThreshold is the number of failed probes before the pod is considered unresponsive.

You can use kubectl to create the pod by running the following command:

kubectl apply -f .yaml

Once the pod is created, Kubernetes will start monitoring it using the configured liveness and readiness probes. If the /healthz endpoint returns an HTTP 500, the pod will be restarted. If the /started endpoint returns an HTTP 500, the pod will not receive traffic.

Please note that if the failure threshold is set to 3, it means that if the probe fails 3 times consecutively it will be considered as a failure.

The above configuration assumes that the application is running on port 8080 and the endpoints are available on the same port.

Load More CKAD Questions

Spring Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

Dumpswrap Top Menu

breadcrumb

Linux Foundation CKAD Dumps

CKAD Free PDF Questions

Certified Kubernetes Application Developer (CKAD) Program Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CKAD Free PDF Answers

Dumpswrap Footer Menu

DumpsWrap All Rights Reserved