Cluster Architecture, Installation and Configuration
Drill 20 practice questions focused entirely on Cluster Architecture, Installation and Configuration for the Linux Foundation CKA exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
You created a ClusterRole named 'pod-reader' that grants get, list, and watch on pods. A developer's ServiceAccount 'ci-bot' in the 'dev' namespace needs to read pods only within the 'dev' namespace. Which binding correctly grants exactly this access using the existing ClusterRole?
After bootstrapping a new single-control-plane cluster with kubeadm, you notice all nodes report NotReady and every Pod (including CoreDNS) remains stuck in ContainerCreating. Running 'kubectl describe pod' on a CoreDNS Pod shows the event: 'Failed to create pod sandbox: ... failed to find plugin "..." in path [/opt/cni/bin] ... network plugin is not ready: cni config uninitialized'. What is the correct action to bring the cluster to a healthy state?
A worker node's kubelet is running, but you suspect containers are failing at the runtime level. The node uses containerd as its CRI. You need to list all running containers and inspect a specific container's status directly at the runtime layer, bypassing the Kubernetes API. Which tool and configuration is the correct approach?
Your production cluster uses an external etcd topology (etcd runs on dedicated nodes outside the control-plane machines). You need to take an etcd snapshot for backup from one of the etcd nodes using etcdctl v3. The etcd cluster is secured with client certificate authentication. Which command correctly produces the snapshot?
You are responsible for etcd backups on a kubeadm-provisioned cluster where etcd runs as a stacked static pod on the control-plane node. Before a risky upgrade, you must take a manual snapshot of the etcd data from the control-plane host. The etcd server certificates are located in /etc/kubernetes/pki/etcd/. Which command correctly captures a consistent snapshot?
You are administering a three-node stacked etcd control plane provisioned with kubeadm. After a network partition, users report intermittent API server errors. You want to inspect the etcd cluster membership and confirm each member's health directly from one control-plane node. Which command correctly queries etcd using the certificates that kubeadm places on the node?
You are deploying an application named 'billing' with Helm. The chart's values.yaml sets 'replicaCount: 2'. Your team maintains an environment file prod-values.yaml that sets 'replicaCount: 4'. During a hotfix rollout you run: helm install billing ./billing-chart -f prod-values.yaml --set replicaCount=6. After the release completes, how many replicas will the Deployment be configured with, and why?
A platform engineer reports that a Helm release named 'billing-api' was installed several days ago, but running `helm list` in their current shell shows no releases. Other teammates confirm the workload pods are running in the 'finance' namespace. Which command will correctly reveal the 'billing-api' release and its status?
You maintain a kubeadm-provisioned cluster that has been running for just over a year. This morning, kubectl commands from the admin workstation begin failing with 'x509: certificate has expired or is not yet valid', and the API server static pod is repeatedly restarting. Investigation shows the cluster's PKI certificates were never rotated. Which single command should you run on the control-plane node to renew all kubeadm-managed certificates at once, after which you must restart the control-plane components?
You are bootstrapping a highly-available control plane with kubeadm. The first control-plane node was initialized several hours ago using 'kubeadm init' with a stacked etcd topology behind a load balancer. Now you want to join a second control-plane node using 'kubeadm join --control-plane'. The join command fails because it cannot download the required control-plane certificates from the cluster. What is the correct way to make those certificates available for the join?
You are provisioning a new control-plane node with kubeadm. The node has both containerd (socket at unix:///run/containerd/containerd.sock) and CRI-O (socket at unix:///run/crio/crio.sock) installed. When you run 'kubeadm init', the command fails with an error indicating that multiple container runtime endpoints were detected and it cannot proceed. You want the cluster to use containerd. Which action correctly resolves this and initializes the cluster?
You are bootstrapping a new control-plane node with kubeadm on a server inside an air-gapped datacenter that has no internet access. Before running 'kubeadm init', you want to verify exactly which container images this specific kubeadm version requires so you can pre-load them into your local registry mirror. Which command lets you list those required images without contacting any external endpoint or initializing the cluster?
You are bootstrapping a highly-available cluster with kubeadm using the stacked etcd topology. After running 'kubeadm init --upload-certs' on the first control-plane node and successfully joining a second control-plane node, you attempt to join a third control-plane node two hours later using the same '--certificate-key' value printed during init. The join fails with an error indicating the certificate key cannot be used to decrypt the certificates. What is the cause and correct remediation?
You are adding a new worker node to an existing kubeadm cluster. On the worker, you run 'kubeadm join 10.0.0.5:6443 --token abc123.def4567890ghijkl' without any other flags. The join fails immediately with an error stating that the cluster CA could not be validated because no --discovery-token-ca-cert-hash was provided and --discovery-token-unsafe-skip-ca-verification was not set. You want to join securely without disabling verification. Which action correctly obtains the value needed to complete the join?
You are adding a new worker node to an existing kubeadm cluster. The control plane was set up two days ago. When you run the 'kubeadm join' command that was printed during 'kubeadm init', the node fails with an error indicating the bootstrap token is invalid or has expired. You need to generate a fresh join command from the control plane node. Which command produces a complete, ready-to-use join command including a new token and the discovery CA cert hash?
You administer a kubeadm-managed cluster where the control-plane node currently runs Kubernetes v1.29.4. You have already run 'apt-get install -y kubeadm=1.30.1-*' on the control-plane node and confirmed the kubeadm binary reports v1.30.1. Your goal is to upgrade the control-plane components (API server, controller manager, scheduler, etcd static pods) to v1.30.1. Which command should you run next to perform this upgrade on the first control-plane node?
You are upgrading a kubeadm-managed cluster. The control plane has already been upgraded to v1.29.2. You now need to upgrade a worker node named 'worker-3'. You have run 'apt-get install kubeadm=1.29.2-*' and 'kubeadm upgrade node' on worker-3. What is the correct sequence of remaining steps to safely complete the worker upgrade, minimizing disruption to running workloads?
You manage a highly-available cluster that was bootstrapped with kubeadm using an external etcd topology (etcd runs on dedicated hosts, not as static pods managed by kubeadm). You are upgrading the first control-plane node from v1.29 to v1.30 and run 'kubeadm upgrade apply v1.30.0'. The command reports it will manage component upgrades. What is the correct expectation about etcd during this kubeadm upgrade?
You are upgrading a worker node named worker-3 as part of a rolling kubeadm upgrade. Before running the kubelet package upgrade, you attempt to drain the node with `kubectl drain worker-3`, but the command fails with an error stating that the node contains DaemonSet-managed Pods and Pods with local storage (emptyDir volumes). You must safely evict the workloads and proceed with the upgrade without losing critical control-plane agents that run on every node. Which command correctly drains the node in this situation?
You upgraded the control plane of a kubeadm cluster to v1.30 successfully. When you run `kubectl get nodes`, the control-plane node shows v1.30 but three worker nodes still show v1.28 and remain Ready. New pods scheduled to the workers run fine, but you are preparing to upgrade the workers. Before draining and upgrading a worker, which command should you run ON that worker node to update the local kubeadm-managed component configuration and pull the correct kubelet config?
More CKA practice
Keep going with the other Certified Kubernetes Administrator (CKA) domains, or take a full timed mock exam.
← Back to CKA overview