Kubernetes (K8s) MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: April 2026~15 min practice 60 Questions · 3 Levels 60 Questions · 3 Levels
Kubernetes (K8s) is the industry-leading container orchestration platform, and mastering it is essential for cloud-native development and DevOps careers. These 60 meticulously curated MCQs take you from fundamental concepts (Pods, Services, Deployments) through intermediate architectures (StatefulSets, RBAC, Storage) to advanced topics (Operators, CRDs, etcd clustering).
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering pods, services, deployments, kubectl, and core architecture), Concepts (covering StatefulSets, DaemonSets, RBAC, storage, and networking), and Advanced (covering operators, CRDs, CNI/CSI, etcd, scheduler, and security). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate certification environments. The interactive engine tracks your progress and identifies knowledge gaps across K8s resources, control plane systems, and networking components.
Kubernetes MCQ questions are essential for CKA, CKAD, CKDS, Docker Certified Associate, AWS EKS, Azure AKS, and GCP GKE certifications. Key topics include: Pod lifecycle, Deployments, StatefulSets, DaemonSets, Jobs, CronJobs, Services (ClusterIP, NodePort, LoadBalancer), Ingress, ConfigMaps, Secrets, RBAC (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings), ServiceAccounts, Persistent Volumes (PV), Persistent Volume Claims (PVC), storage classes, networking (CNI plugins Calico, Flannel, Weave), Network Policies, taints and tolerations, node selectors, affinity rules, pod disruption budgets, cluster autoscaling, metrics-server, resource requests and limits, health checks (liveness/readiness probes), operators, Custom Resource Definitions (CRDs), etcd, kubelet, kube-proxy, kube-scheduler, kube-controller-manager, and API server behavior.
How to answer Kubernetes MCQs: Understand that Kubernetes follows a declarative, state-reconciliation model: you define desired state in YAML manifests, and the control plane continuously works toward matching actual state. For object questions, know that Pods are ephemeral and stateless (use Deployments for reliability), while StatefulSets provide stable network identity and persistent storage for databases. For networking, understand that Services abstract Pod IP volatility — ClusterIP is internal, NodePort exposes on host ports, LoadBalancer delegates to cloud load balancers. For security, RBAC is role-based: Roles/RoleBindings scope to namespaces; ClusterRoles/ClusterRoleBindings are cluster-wide. For storage, PersistentVolumes are cluster resources; PersistentVolumeClaims request them; storage classes automate provisioning based on cloud provider.
Contents
- 1.Basics (20 Questions)Pods · Services · Deployments · kubectl · core architecture
- 2.Concepts (20 Questions)StatefulSets · DaemonSets · RBAC · Storage · Networking
- 3.Advanced (20 Questions)Operators · CRDs · CNI/CSI · etcd · scheduler · security
- 4.Conclusionsummary · next steps · study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept · definition · key fact table
- 7.FAQcommon questions answered
Kubernetes (K8s) — Basics
1What is the smallest and simplest deployable object in the Kubernetes object model?
CorrectB: Pod
A Pod is the smallest deployable unit in Kubernetes. It is a wrapper around one or more containers (usually Docker containers) that share network namespaces, storage, and specifications for how to run the containers.
IncorrectB: Pod
A Pod is the smallest deployable unit in Kubernetes. It is a wrapper around one or more containers (usually Docker containers) that share network namespaces, storage, and specifications for how to run the containers.
2Which component runs on every node and ensures that containers are running properly within a Pod?
CorrectC: kubelet
The kubelet is the agent that runs on every worker node. It is responsible for ensuring that containers described in Pod specifications are running and healthy. It communicates with the control plane via the Kubernetes API.
IncorrectC: kubelet
The kubelet is the agent that runs on every worker node. It is responsible for ensuring that containers described in Pod specifications are running and healthy. It communicates with the control plane via the Kubernetes API.
3What is the primary function of a Kubernetes Service?
CorrectA: Provide a stable IP and DNS name for a set of Pods
A Kubernetes Service provides a stable, predictable IP address and DNS name that abstracts the underlying Pods. This allows clients to access the service even as Pods are created and destroyed, enabling load balancing and service discovery.
IncorrectA: Provide a stable IP and DNS name for a set of Pods
A Kubernetes Service provides a stable, predictable IP address and DNS name that abstracts the underlying Pods. This allows clients to access the service even as Pods are created and destroyed, enabling load balancing and service discovery.
4Which control plane component is responsible for assigning newly created Pods to a specific Node?
CorrectD: kube-scheduler
The kube-scheduler is the control plane component that watches for newly created Pods with no assigned Node and selects a Node for them to run on. It considers resource requirements, constraints, and affinity rules.
IncorrectD: kube-scheduler
The kube-scheduler is the control plane component that watches for newly created Pods with no assigned Node and selects a Node for them to run on. It considers resource requirements, constraints, and affinity rules.
5What command is used to apply a YAML configuration file to a cluster to create or update resources?
CorrectB: kubectl apply -f
`kubectl apply -f` is the declarative command to apply configuration changes to a cluster. It idempotently creates, updates, or reconciles resources based on the provided YAML files.
IncorrectB: kubectl apply -f
`kubectl apply -f` is the declarative command to apply configuration changes to a cluster. It idempotently creates, updates, or reconciles resources based on the provided YAML files.
6Where does Kubernetes store all its cluster data, state, and configuration?
CorrectA: etcd
etcd is a distributed, consistent key-value store that serves as Kubernetes' backing store for all cluster data. It stores all API objects, configuration, and the current state of the cluster.
IncorrectA: etcd
etcd is a distributed, consistent key-value store that serves as Kubernetes' backing store for all cluster data. It stores all API objects, configuration, and the current state of the cluster.
7What is the default Service type in Kubernetes if no specific type is explicitly specified?
CorrectD: ClusterIP
ClusterIP is the default Service type. It exposes the Service on a cluster-internal IP address, only accessible from within the cluster. Other types include NodePort, LoadBalancer, and ExternalName.
IncorrectD: ClusterIP
ClusterIP is the default Service type. It exposes the Service on a cluster-internal IP address, only accessible from within the cluster. Other types include NodePort, LoadBalancer, and ExternalName.
8Which Kubernetes object is best suited for managing a stateless application that requires continuous running and scaling?
CorrectB: Deployment
A Deployment is the recommended way to manage stateless applications. It provides declarative updates for Pods and ReplicaSets, with built-in rollout and rollback capabilities.
IncorrectB: Deployment
A Deployment is the recommended way to manage stateless applications. It provides declarative updates for Pods and ReplicaSets, with built-in rollout and rollback capabilities.
9What is a Kubernetes Namespace used for?
CorrectC: Logically isolating resources within a single physical cluster
Namespaces provide a mechanism for isolating groups of resources within a single cluster. Multiple namespaces can exist in the same cluster and serve as virtual clusters for multi-tenant environments.
IncorrectC: Logically isolating resources within a single physical cluster
Namespaces provide a mechanism for isolating groups of resources within a single cluster. Multiple namespaces can exist in the same cluster and serve as virtual clusters for multi-tenant environments.
10Which component serves as the primary interface for administrators and internal components to communicate with the cluster?
CorrectC: kube-apiserver
The kube-apiserver is the Kubernetes API server. It is the frontend of the Kubernetes control plane and exposes the HTTP API through which kubectl and other clients communicate with the cluster.
IncorrectC: kube-apiserver
The kube-apiserver is the Kubernetes API server. It is the frontend of the Kubernetes control plane and exposes the HTTP API through which kubectl and other clients communicate with the cluster.
11What is the role of the kube-proxy on a worker node?
CorrectB: Maintains network rules to allow communication to Pods from inside or outside the cluster
kube-proxy is a network proxy that runs on every node and maintains network rules on nodes. These rules allow network communication to Pods from network sessions inside or outside of the cluster.
IncorrectB: Maintains network rules to allow communication to Pods from inside or outside the cluster
kube-proxy is a network proxy that runs on every node and maintains network rules on nodes. These rules allow network communication to Pods from network sessions inside or outside of the cluster.
12How does Kubernetes handle a failed container inside a Pod by default?
CorrectD: It restarts the container on the same node using the defined restart policy
By default, the kubelet implements a restart policy that automatically restarts failed containers. The default restart policy is "Always", which restarts containers that exit regardless of the exit code.
IncorrectD: It restarts the container on the same node using the defined restart policy
By default, the kubelet implements a restart policy that automatically restarts failed containers. The default restart policy is "Always", which restarts containers that exit regardless of the exit code.
13Which concept allows you to attach identifying key-value pairs to Kubernetes objects for filtering and grouping?
CorrectA: Labels
Labels are key-value pairs attached to Kubernetes objects that enable identifying, grouping, and selecting objects. They are used by label selectors in Services, Deployments, and other higher-level constructs.
IncorrectA: Labels
Labels are key-value pairs attached to Kubernetes objects that enable identifying, grouping, and selecting objects. They are used by label selectors in Services, Deployments, and other higher-level constructs.
14What is a ReplicaSet primarily designed to guarantee?
CorrectB: That a specified number of identical Pod replicas are running at any given time
A ReplicaSet ensures that a specified number of Pod replicas are running at all times. It creates and deletes Pods as needed to maintain the desired number of replicas.
IncorrectB: That a specified number of identical Pod replicas are running at any given time
A ReplicaSet ensures that a specified number of Pod replicas are running at all times. It creates and deletes Pods as needed to maintain the desired number of replicas.
15When defining resource requirements for a container, what does the "limit" specify?
CorrectB: The maximum amount of CPU or memory the container is allowed to consume
Limits define the maximum amount of resources (CPU and memory) a container can consume. If a container exceeds its memory limit, it is terminated (OOMKilled). CPU limits cause throttling.
IncorrectB: The maximum amount of CPU or memory the container is allowed to consume
Limits define the maximum amount of resources (CPU and memory) a container can consume. If a container exceeds its memory limit, it is terminated (OOMKilled). CPU limits cause throttling.
16Which object is used to securely store and manage sensitive information like passwords or OAuth tokens?
CorrectA: Secret
A Secret is a Kubernetes object designed to hold sensitive data (passwords, OAuth tokens, SSH keys, etc.). Secrets are base64-encoded and can be encrypted using etcd encryption or external secret management systems.
IncorrectA: Secret
A Secret is a Kubernetes object designed to hold sensitive data (passwords, OAuth tokens, SSH keys, etc.). Secrets are base64-encoded and can be encrypted using etcd encryption or external secret management systems.
17What type of volume is created when a Pod is assigned to a Node and exists only as long as that Pod is running on that Node?
CorrectD: emptyDir
An emptyDir volume is a temporary volume that is created when a Pod is assigned to a Node and deleted when the Pod is removed from the node. It is useful for temporary scratch space.
IncorrectD: emptyDir
An emptyDir volume is a temporary volume that is created when a Pod is assigned to a Node and deleted when the Pod is removed from the node. It is useful for temporary scratch space.
18Which command retrieves the detailed, low-level state and events of a specific Pod?
CorrectA: kubectl describe pod <pod-name>
`kubectl describe pod` provides detailed information about a Pod including its status, events, resource requirements, and current conditions. It is invaluable for debugging Pod issues.
IncorrectA: kubectl describe pod <pod-name>
`kubectl describe pod` provides detailed information about a Pod including its status, events, resource requirements, and current conditions. It is invaluable for debugging Pod issues.
19What is the primary purpose of an Ingress resource?
CorrectC: To manage external access to HTTP and HTTPS routes within the cluster
An Ingress is a Kubernetes resource that manages external HTTP and HTTPS access to Services within the cluster. It typically uses an Ingress controller to implement routing rules based on hostnames and paths.
IncorrectC: To manage external access to HTTP and HTTPS routes within the cluster
An Ingress is a Kubernetes resource that manages external HTTP and HTTPS access to Services within the cluster. It typically uses an Ingress controller to implement routing rules based on hostnames and paths.
20Which feature allows a Node to repel certain Pods from being scheduled on it unless the Pod explicitly tolerates the restriction?
CorrectD: Taints and Tolerations
Taints allow a Node to repel Pods. A tainted Node will not accept Pods unless the Pod has a matching toleration. This is useful for dedicating nodes to specific workloads or preventing scheduling on nodes with special hardware.
IncorrectD: Taints and Tolerations
Taints allow a Node to repel Pods. A tainted Node will not accept Pods unless the Pod has a matching toleration. This is useful for dedicating nodes to specific workloads or preventing scheduling on nodes with special hardware.
Kubernetes (K8s) — Concepts
1Which object is designed to ensure that a copy of a specific Pod runs on all (or a selected subset of) Nodes in the cluster?
CorrectB: DaemonSet
A DaemonSet ensures that all (or some) Nodes run a copy of a Pod. As nodes are added or removed from the cluster, DaemonSet automatically adjusts the number of Pod replicas. It is ideal for logging and monitoring agents.
IncorrectB: DaemonSet
A DaemonSet ensures that all (or some) Nodes run a copy of a Pod. As nodes are added or removed from the cluster, DaemonSet automatically adjusts the number of Pod replicas. It is ideal for logging and monitoring agents.
2In a StatefulSet, how are the network identities of the generated Pods managed?
CorrectC: Each Pod gets a stable, predictable hostname based on its ordinal index
StatefulSets provide stable, unique network identities for each Pod based on their ordinal index (e.g., mysql-0, mysql-1). This is critical for stateful applications that require persistent identity across rescheduling.
IncorrectC: Each Pod gets a stable, predictable hostname based on its ordinal index
StatefulSets provide stable, unique network identities for each Pod based on their ordinal index (e.g., mysql-0, mysql-1). This is critical for stateful applications that require persistent identity across rescheduling.
3What is the specific purpose of a Readiness Probe?
CorrectD: To determine if a container is ready to accept and serve network traffic
A Readiness Probe determines whether a container is ready to start receiving traffic. If a container fails a readiness check, it remains in the Service but no traffic is sent to it. This differs from a Liveness Probe which checks if the container is still running.
IncorrectD: To determine if a container is ready to accept and serve network traffic
A Readiness Probe determines whether a container is ready to start receiving traffic. If a container fails a readiness check, it remains in the Service but no traffic is sent to it. This differs from a Liveness Probe which checks if the container is still running.
4How does a Headless Service differ from a standard ClusterIP Service?
CorrectA: It does not allocate a cluster IP and allows direct DNS resolution to the backing Pod IPs
A Headless Service (with `clusterIP: None`) does not allocate a cluster IP. Instead, DNS returns the individual Pod IPs directly. This is used in StatefulSets where clients need to connect to specific Pod instances.
IncorrectA: It does not allocate a cluster IP and allows direct DNS resolution to the backing Pod IPs
A Headless Service (with `clusterIP: None`) does not allocate a cluster IP. Instead, DNS returns the individual Pod IPs directly. This is used in StatefulSets where clients need to connect to specific Pod instances.
5Which Kubernetes admission controller automatically alters incoming API requests before they are persisted in etcd?
CorrectB: MutatingAdmissionWebhook
A MutatingAdmissionWebhook can modify the content of incoming API requests before they are persisted. For example, it can inject sidecar containers, add default labels, or modify security contexts.
IncorrectB: MutatingAdmissionWebhook
A MutatingAdmissionWebhook can modify the content of incoming API requests before they are persisted. For example, it can inject sidecar containers, add default labels, or modify security contexts.
6What is the primary function of a PersistentVolumeClaim (PVC)?
CorrectA: To act as a request for storage by a user, abstracting the underlying storage details
A PersistentVolumeClaim (PVC) is a request for storage by a user. It abstracts the user from the underlying storage infrastructure, allowing administrators to provide storage through PersistentVolumes.
IncorrectA: To act as a request for storage by a user, abstracting the underlying storage details
A PersistentVolumeClaim (PVC) is a request for storage by a user. It abstracts the user from the underlying storage infrastructure, allowing administrators to provide storage through PersistentVolumes.
7In Kubernetes RBAC, what is the fundamental difference between a Role and a ClusterRole?
CorrectB: A Role is namespace-scoped, while a ClusterRole applies to cluster-wide resources
A Role defines permissions within a specific namespace, while a ClusterRole defines permissions across the entire cluster. RoleBindings grant Role permissions to users/service accounts in a namespace; ClusterRoleBindings do so cluster-wide.
IncorrectB: A Role is namespace-scoped, while a ClusterRole applies to cluster-wide resources
A Role defines permissions within a specific namespace, while a ClusterRole defines permissions across the entire cluster. RoleBindings grant Role permissions to users/service accounts in a namespace; ClusterRoleBindings do so cluster-wide.
8Which mechanism is used to securely inject configuration data into a container as environment variables or mounted files without exposing it in the image?
CorrectC: ConfigMap
A ConfigMap stores non-sensitive configuration data as key-value pairs. It can be mounted as files or injected as environment variables into containers, keeping configuration separate from application code.
IncorrectC: ConfigMap
A ConfigMap stores non-sensitive configuration data as key-value pairs. It can be mounted as files or injected as environment variables into containers, keeping configuration separate from application code.
9What does the "CrashLoopBackOff" status indicate for a Pod?
CorrectC: A container within the Pod repeatedly starts and crashes, causing kubelet to delay restart attempts
CrashLoopBackOff indicates that a container in the Pod is repeatedly crashing and restarting. The kubelet applies exponential backoff delays between restart attempts to avoid overwhelming the system.
IncorrectC: A container within the Pod repeatedly starts and crashes, causing kubelet to delay restart attempts
CrashLoopBackOff indicates that a container in the Pod is repeatedly crashing and restarting. The kubelet applies exponential backoff delays between restart attempts to avoid overwhelming the system.
10Which Kubernetes component manages the lifecycle of cloud-provider-specific resources, such as external load balancers and route tables?
CorrectD: cloud-controller-manager
The cloud-controller-manager manages cloud-provider-specific control logic, such as provisioning external load balancers (for LoadBalancer Services) and managing routes and storage volumes.
IncorrectD: cloud-controller-manager
The cloud-controller-manager manages cloud-provider-specific control logic, such as provisioning external load balancers (for LoadBalancer Services) and managing routes and storage volumes.
11How do Network Policies govern traffic flow in a Kubernetes cluster?
CorrectA: By defining rules that restrict ingress and egress traffic at the Pod level using label selectors
NetworkPolicies specify how Pods can communicate with each other and with other network endpoints. They use pod and namespace selectors to define ingress and egress rules at the network layer.
IncorrectA: By defining rules that restrict ingress and egress traffic at the Pod level using label selectors
NetworkPolicies specify how Pods can communicate with each other and with other network endpoints. They use pod and namespace selectors to define ingress and egress rules at the network layer.
12What is the purpose of the Downward API?
CorrectB: To expose Pod and container metadata to the running container without requiring direct Kubernetes API access
The Downward API exposes Pod metadata (name, namespace, labels, annotations, CPU/memory requests and limits) to containers via environment variables or mounted files, without requiring the container to query the Kubernetes API.
IncorrectB: To expose Pod and container metadata to the running container without requiring direct Kubernetes API access
The Downward API exposes Pod metadata (name, namespace, labels, annotations, CPU/memory requests and limits) to containers via environment variables or mounted files, without requiring the container to query the Kubernetes API.
13Which update strategy does a Deployment use by default to ensure zero downtime during a version rollout?
CorrectA: RollingUpdate
RollingUpdate is the default strategy for Deployments. It gradually replaces old Pods with new ones, ensuring continuous availability during the update. The Recreate strategy deletes all Pods and creates new ones, causing downtime.
IncorrectA: RollingUpdate
RollingUpdate is the default strategy for Deployments. It gradually replaces old Pods with new ones, ensuring continuous availability during the update. The Recreate strategy deletes all Pods and creates new ones, causing downtime.
14What is a "StorageClass" used for in dynamic volume provisioning?
CorrectD: It defines the provisioner, parameters, and reclaim policy for dynamically creating PersistentVolumes
A StorageClass defines a "class" of storage with specific provisioner, parameters, and reclaim policies. When a PVC references a StorageClass, Kubernetes dynamically provisions a PersistentVolume according to the StorageClass specification.
IncorrectD: It defines the provisioner, parameters, and reclaim policy for dynamically creating PersistentVolumes
A StorageClass defines a "class" of storage with specific provisioner, parameters, and reclaim policies. When a PVC references a StorageClass, Kubernetes dynamically provisions a PersistentVolume according to the StorageClass specification.
15If a Pod is evicted from a Node due to resource starvation, which Kubernetes mechanism is directly responsible for executing the eviction?
CorrectD: Kubelet out-of-resource handling
The kubelet monitors node resources and evicts Pods when the node faces resource pressure (memory or disk). Eviction policies determine which Pods are evicted based on QoS class and resource usage.
IncorrectD: Kubelet out-of-resource handling
The kubelet monitors node resources and evicts Pods when the node faces resource pressure (memory or disk). Eviction policies determine which Pods are evicted based on QoS class and resource usage.
16What is the primary function of an Init Container?
CorrectB: To run setup scripts or utilities to completion before the primary application containers start
Init Containers run before the main app containers in a Pod and must complete successfully for the Pod to start. They are useful for setup tasks like downloading dependencies, checking service availability, or initializing data.
IncorrectB: To run setup scripts or utilities to completion before the primary application containers start
Init Containers run before the main app containers in a Pod and must complete successfully for the Pod to start. They are useful for setup tasks like downloading dependencies, checking service availability, or initializing data.
17Which concept allows you to constrain a Pod so that it can only be scheduled on specific Nodes based on node labels?
CorrectB: Node Affinity
Node Affinity allows you to define rules that constrain which Nodes a Pod can be scheduled on, based on node labels. RequiredDuringSchedulingIgnoredDuringExecution rules enforce the constraint, while preferred rules use soft constraints.
IncorrectB: Node Affinity
Node Affinity allows you to define rules that constrain which Nodes a Pod can be scheduled on, based on node labels. RequiredDuringSchedulingIgnoredDuringExecution rules enforce the constraint, while preferred rules use soft constraints.
18What occurs when a Job object completes its specified number of successful executions?
CorrectC: The Job retains the completed Pods for logging and debugging purposes until manually deleted
A completed Job retains the Pods for logging and debugging. The Pods are not automatically deleted; they must be manually cleaned up. This allows inspection of logs and final status codes.
IncorrectC: The Job retains the completed Pods for logging and debugging purposes until manually deleted
A completed Job retains the Pods for logging and debugging. The Pods are not automatically deleted; they must be manually cleaned up. This allows inspection of logs and final status codes.
19How does a Liveness Probe differ from a Startup Probe?
CorrectA: A Startup Probe disables liveness and readiness checks until the application has successfully initialized
A Startup Probe disables liveness and readiness probes until the application successfully starts. This prevents the other probes from failing on slow-starting applications. Once the startup probe succeeds once, it is no longer executed.
IncorrectA: A Startup Probe disables liveness and readiness checks until the application has successfully initialized
A Startup Probe disables liveness and readiness probes until the application successfully starts. This prevents the other probes from failing on slow-starting applications. Once the startup probe succeeds once, it is no longer executed.
20In an RBAC RoleBinding, what does the "Subject" represent?
CorrectD: The user, group, or service account being granted the permissions defined in the Role
The Subject in a RoleBinding specifies who is being granted permissions (user, group, or service account). The RoleRef specifies which Role the subject is bound to, and the Binding is scoped to a specific namespace.
IncorrectD: The user, group, or service account being granted the permissions defined in the Role
The Subject in a RoleBinding specifies who is being granted permissions (user, group, or service account). The RoleRef specifies which Role the subject is bound to, and the Binding is scoped to a specific namespace.
Kubernetes (K8s) — Advanced
1What is the core architectural principle behind a Kubernetes Operator?
CorrectB: It combines a Custom Resource Definition with a custom controller to automate complex, domain-specific stateful applications
An Operator is a Kubernetes-native application that uses Custom Resource Definitions (CRDs) and controllers to automate the deployment and management of complex, stateful applications. The Operator pattern encodes domain expertise in software.
IncorrectB: It combines a Custom Resource Definition with a custom controller to automate complex, domain-specific stateful applications
An Operator is a Kubernetes-native application that uses Custom Resource Definitions (CRDs) and controllers to automate the deployment and management of complex, stateful applications. The Operator pattern encodes domain expertise in software.
2In the context of an etcd cluster, what is the absolute minimum number of nodes required to maintain high availability and survive a single node failure?
CorrectA: Three nodes
An etcd cluster requires an odd number of nodes for consensus. With three nodes, the cluster can survive the loss of one node. A two-node cluster cannot guarantee consistency; a five-node cluster is more resilient but less efficient.
IncorrectA: Three nodes
An etcd cluster requires an odd number of nodes for consensus. With three nodes, the cluster can survive the loss of one node. A two-node cluster cannot guarantee consistency; a five-node cluster is more resilient but less efficient.
3How does the Container Network Interface (CNI) integrate with Kubernetes?
CorrectC: It is a standardized specification invoked by the Kubelet to configure network interfaces and assign IP addresses to Pods
The CNI is a specification and set of tools for configuring network interfaces in containers. The kubelet invokes CNI plugins to set up Pod networking (IP assignment, routing, etc.) when Pods are created.
IncorrectC: It is a standardized specification invoked by the Kubelet to configure network interfaces and assign IP addresses to Pods
The CNI is a specification and set of tools for configuring network interfaces in containers. The kubelet invokes CNI plugins to set up Pod networking (IP assignment, routing, etc.) when Pods are created.
4What specific problem does the "PodDisruptionBudget" (PDB) solve during voluntary disruptions like node upgrades?
CorrectC: It limits the number of concurrently down Pods for a highly available application to maintain quorum or availability
A PodDisruptionBudget specifies the minimum number of Pods that must be available during voluntary disruptions (upgrades, scaling, etc.). It ensures highly available applications maintain sufficient replicas to serve traffic.
IncorrectC: It limits the number of concurrently down Pods for a highly available application to maintain quorum or availability
A PodDisruptionBudget specifies the minimum number of Pods that must be available during voluntary disruptions (upgrades, scaling, etc.). It ensures highly available applications maintain sufficient replicas to serve traffic.
5During the scheduling process, what happens in the "Filtering" (or Predicates) phase?
CorrectC: The scheduler eliminates nodes that do not meet the Pod's specific hardware or constraint requirements
During the Filtering phase, the scheduler applies filter functions (predicates) to eliminate nodes that don't meet the Pod's requirements (sufficient resources, correct labels, taints/tolerations, etc.).
IncorrectC: The scheduler eliminates nodes that do not meet the Pod's specific hardware or constraint requirements
During the Filtering phase, the scheduler applies filter functions (predicates) to eliminate nodes that don't meet the Pod's requirements (sufficient resources, correct labels, taints/tolerations, etc.).
6What is the primary advantage of utilizing EndpointSlices over standard Endpoints resources in a massive, highly scaled cluster?
CorrectD: EndpointSlices group network endpoints into smaller, manageable chunks to drastically reduce API server load and network traffic
EndpointSlices partition endpoints into smaller slices (by default, 100 endpoints per slice) to reduce the size of individual objects sent over the network and reduce API server load in large clusters.
IncorrectD: EndpointSlices group network endpoints into smaller, manageable chunks to drastically reduce API server load and network traffic
EndpointSlices partition endpoints into smaller slices (by default, 100 endpoints per slice) to reduce the size of individual objects sent over the network and reduce API server load in large clusters.
7Which feature allows Kubernetes to dynamically mount temporary, locally attached SSDs for high-performance, low-latency scratch space?
CorrectB: Ephemeral Inline Volumes
Ephemeral Inline Volumes allow Pods to reference volumes defined inline in the Pod specification. They are useful for temporary storage and avoid the need to create separate PersistentVolume and PersistentVolumeClaim objects.
IncorrectB: Ephemeral Inline Volumes
Ephemeral Inline Volumes allow Pods to reference volumes defined inline in the Pod specification. They are useful for temporary storage and avoid the need to create separate PersistentVolume and PersistentVolumeClaim objects.
8When designing a Custom Resource Definition (CRD), what is the purpose of the "OpenAPI v3 validation schema"?
CorrectD: To enforce structural and data type constraints on the custom resource before it is accepted by the API server
The validation schema in a CRD uses OpenAPI v3 to define the structure and constraints for custom resources. Invalid resources are rejected by the API server before being persisted in etcd.
IncorrectD: To enforce structural and data type constraints on the custom resource before it is accepted by the API server
The validation schema in a CRD uses OpenAPI v3 to define the structure and constraints for custom resources. Invalid resources are rejected by the API server before being persisted in etcd.
9In an advanced Multi-AZ cluster, what mechanism instructs the scheduler to evenly spread replicas of a Deployment across different availability zones?
CorrectC: Pod Topology Spread Constraints
Pod Topology Spread Constraints allow you to define rules that distribute Pods across topology domains (zones, regions, etc.) to improve fault tolerance and availability.
IncorrectC: Pod Topology Spread Constraints
Pod Topology Spread Constraints allow you to define rules that distribute Pods across topology domains (zones, regions, etc.) to improve fault tolerance and availability.
10What is the specific function of the Container Storage Interface (CSI) sidecar container known as the "external-provisioner"?
CorrectB: It monitors PVCs and triggers the CSI driver to dynamically create or delete physical storage volumes
The external-provisioner sidecar watches for PersistentVolumeClaim objects and calls the CSI driver's CreateVolume method when a new PVC is created. It automates the provisioning of persistent volumes.
IncorrectB: It monitors PVCs and triggers the CSI driver to dynamically create or delete physical storage volumes
The external-provisioner sidecar watches for PersistentVolumeClaim objects and calls the CSI driver's CreateVolume method when a new PVC is created. It automates the provisioning of persistent volumes.
11How does the Kubernetes API server handle optimistic concurrency control to prevent conflicting updates to the same resource?
CorrectC: It utilizes the `resourceVersion` field to ensure the client is updating the most current state of the object
Each Kubernetes object has a resourceVersion field. When updating an object, the client includes the resourceVersion. If another client has updated the object (changing its resourceVersion), the update fails, requiring the client to re-fetch and retry.
IncorrectC: It utilizes the `resourceVersion` field to ensure the client is updating the most current state of the object
Each Kubernetes object has a resourceVersion field. When updating an object, the client includes the resourceVersion. If another client has updated the object (changing its resourceVersion), the update fails, requiring the client to re-fetch and retry.
12Which Kubernetes native mechanism is utilized to automatically scale the number of cluster nodes by interacting directly with the cloud provider's infrastructure?
CorrectA: Cluster Autoscaler
The Cluster Autoscaler watches for Pods that cannot be scheduled due to insufficient resources and automatically adds nodes to the cluster. It also scales down nodes when they are underutilized.
IncorrectA: Cluster Autoscaler
The Cluster Autoscaler watches for Pods that cannot be scheduled due to insufficient resources and automatically adds nodes to the cluster. It also scales down nodes when they are underutilized.
13What is a "HorizontalPodAutoscaler" (HPA) primarily calculating when it utilizes custom metrics for scaling decisions?
CorrectD: The ratio of the current metric value to the desired target value to determine the exact number of required replicas
The HPA calculates the ratio of the current metric value to the target value to determine the desired number of replicas: desiredReplicas = ceil[currentReplicas * (currentMetricValue / targetMetricValue)].
IncorrectD: The ratio of the current metric value to the desired target value to determine the exact number of required replicas
The HPA calculates the ratio of the current metric value to the target value to determine the desired number of replicas: desiredReplicas = ceil[currentReplicas * (currentMetricValue / targetMetricValue)].
14In a scenario where kube-proxy is operating in "IPVS" mode, what is its primary operational advantage over "iptables" mode?
CorrectD: IPVS utilizes highly efficient hash tables, providing significantly better performance and lower latency in clusters with tens of thousands of services
IPVS (IP Virtual Server) uses hash tables and is more efficient than iptables for clusters with many Services. iptables rules grow linearly with the number of services, causing performance degradation.
IncorrectD: IPVS utilizes highly efficient hash tables, providing significantly better performance and lower latency in clusters with tens of thousands of services
IPVS (IP Virtual Server) uses hash tables and is more efficient than iptables for clusters with many Services. iptables rules grow linearly with the number of services, causing performance degradation.
15What is the technical consequence of setting the `hostNetwork: true` flag in a Pod's specification?
CorrectC: The Pod completely bypasses the CNI plugin and binds directly to the physical node's network namespace and IP address
When hostNetwork is set to true, the Pod uses the host's network namespace directly, bypassing all CNI networking setup. The Pod sees the host's network interfaces and can bind to the host's ports.
IncorrectC: The Pod completely bypasses the CNI plugin and binds directly to the physical node's network namespace and IP address
When hostNetwork is set to true, the Pod uses the host's network namespace directly, bypassing all CNI networking setup. The Pod sees the host's network interfaces and can bind to the host's ports.
16How does an "Informers" pattern improve the performance of custom Kubernetes controllers?
CorrectA: It maintains a local, synchronized cache of API objects using watch streams, preventing constant polling of the API server
Informers maintain a local cache of API objects and use watch streams for real-time updates. This dramatically reduces API server load by eliminating the need for controllers to repeatedly list objects.
IncorrectA: It maintains a local, synchronized cache of API objects using watch streams, preventing constant polling of the API server
Informers maintain a local cache of API objects and use watch streams for real-time updates. This dramatically reduces API server load by eliminating the need for controllers to repeatedly list objects.
17Which specific vulnerability does the "seccomp" (secure computing mode) profile mitigate when applied to a container's SecurityContext?
CorrectC: It restricts the specific Linux kernel system calls that the containerized application is permitted to execute
Seccomp restricts the system calls available to a container. By default, the built-in default seccomp profile blocks many dangerous syscalls (like syscall, ptrace, etc.) while allowing safe ones.
IncorrectC: It restricts the specific Linux kernel system calls that the containerized application is permitted to execute
Seccomp restricts the system calls available to a container. By default, the built-in default seccomp profile blocks many dangerous syscalls (like syscall, ptrace, etc.) while allowing safe ones.
18When a Node's condition transitions to `MemoryPressure`, how does the kubelet prioritize which Pods to forcefully evict first?
CorrectC: It evicts BestEffort Pods, followed by Burstable Pods that are exceeding their memory requests
The kubelet respects QoS classes when evicting: BestEffort Pods are evicted first, followed by Burstable Pods exceeding their requests, and finally Guaranteed Pods. This prioritizes protecting critical workloads.
IncorrectC: It evicts BestEffort Pods, followed by Burstable Pods that are exceeding their memory requests
The kubelet respects QoS classes when evicting: BestEffort Pods are evicted first, followed by Burstable Pods exceeding their requests, and finally Guaranteed Pods. This prioritizes protecting critical workloads.
19What is the primary operational distinction between a "CronJob" and a standard "Job" in Kubernetes?
CorrectB: A CronJob manages time-based scheduling, creating discrete Job objects at specific intervals defined by a cron format
A CronJob creates Jobs on a schedule. It accepts a cron expression (e.g., "0 0 * * *") and spawns a new Job according to that schedule. The Job itself performs the actual work.
IncorrectB: A CronJob manages time-based scheduling, creating discrete Job objects at specific intervals defined by a cron format
A CronJob creates Jobs on a schedule. It accepts a cron expression (e.g., "0 0 * * *") and spawns a new Job according to that schedule. The Job itself performs the actual work.
20In an API Server configuration, what is the role of an "Authentication Webhook"?
CorrectC: It intercepts incoming requests and delegates the verification of bearer tokens to an external, third-party identity provider
An Authentication Webhook allows the API server to delegate token verification to an external authentication provider. The API server makes an HTTP POST request to the webhook to verify tokens and retrieve user information.
IncorrectC: It intercepts incoming requests and delegates the verification of bearer tokens to an external, third-party identity provider
An Authentication Webhook allows the API server to delegate token verification to an external authentication provider. The API server makes an HTTP POST request to the webhook to verify tokens and retrieve user information.
Conclusion: Mastering Kubernetes
Kubernetes (K8s) is the industry standard for container orchestration, automating deployment, scaling, and management of containerized applications across clusters. Mastering its core concepts — Pods, Services, Deployments, StatefulSets, RBAC, storage, networking — is essential for DevOps engineers, cloud architects, and full-stack developers working in cloud-native environments.
Key mastery areas: Understand the declarative nature of K8s: you describe desired state (manifests/YAML), and the control plane continuously reconciles the actual state. Know the difference between Pods (ephemeral) and StatefulSets (persistent identity). Understand networking (Services expose Pods, Ingress exposes services). Master RBAC (Role-Based Access Control) for security. Know storage (PersistentVolumes, PersistentVolumeClaims, storage classes). These 60 carefully structured MCQs progressively deepen your knowledge from basics through advanced CKA/CKAD concepts.
After completing this MCQ set, pursue hands-on labs with a real Kubernetes cluster, earn a CKA (Certified Kubernetes Administrator) or CKAD (Certified Kubernetes Application Developer) certification, and you'll be ready to architect mission-critical container orchestration infrastructure. Best of luck on your Kubernetes journey! 🚀
📌 Key Takeaways — Kubernetes
- Pod — smallest deployable unit. Usually runs one container (sidecar patterns use multiple).
- Deployment — declarative updates for Pods. Manages ReplicaSets; supports rolling updates, rollbacks.
- StatefulSet — manages stateful apps with persistent identity (database indices, hostnames persist across restarts).
- Service — stable network endpoint for Pods. Types: ClusterIP (internal), NodePort (host port), LoadBalancer (cloud).
- Ingress — HTTP/HTTPS routing to Services (single entry point, path-based routing, TLS termination).
- RBAC — Role-Based Access Control. Roles define permissions; RoleBindings grant roles to users/serviceaccounts.
- Persistent Volume (PV) — cluster resource (provisioned by admin). PersistentVolumeClaim (PVC) requests it.
- Namespaces — logical cluster partitions for multi-tenancy, resource quotas, network policies.
- Taints & Tolerations — taints repel Pods from nodes; tolerations allow Pods to tolerate taints.
- Resource Requests/Limits — requests guarantee minimum CPU/memory; limits cap maximum (prevent noisy neighbor).
Quick Review & Summary
Use this table to quickly understand Kubernetes object purposes before or after attempting the questions above.
| Kubernetes Object | Purpose | Scope |
|---|---|---|
| Pod | Smallest unit, wraps container(s) | Namespace |
| Deployment | Manage stateless Pods, rolling updates | Namespace |
| StatefulSet | Manage stateful Pods, persistent identity | Namespace |
| Service | Stable endpoint, load balance Pods | Namespace |
| Ingress | HTTP(S) routing to Services | Namespace |
| ConfigMap | Non-sensitive config data | Namespace |
| Secret | Sensitive data (passwords, tokens) | Namespace |
Frequently Asked Questions
Q. What is the difference between a Pod and a Docker container?
Q. What do these Kubernetes MCQs cover?
Q. Are these MCQs suitable for CKA and CKAD certification preparation?
Q. What is the difference between a Deployment and a StatefulSet?
Q. What does "Quality of Service" (QoS) mean in Kubernetes?
Q. What is an Operator and why would I use one?
Q. What is the difference between RBAC and network policies?
Q. What does "dry-run" mean in kubectl commands?
Need to review the theory? Read the full Theory Guide: Kubernetes