Services and Networking
Drill 20 practice questions focused entirely on Services and Networking for the Linux Foundation CKA exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A development team has a backend API running as a Deployment named `orders-api` in the `commerce` namespace. The API only needs to be reachable by other Pods inside the cluster (a frontend Deployment and a batch worker), and must NOT be exposed to any external network or node IP. The team asks you to create a Service that provides a stable virtual IP and DNS name for in-cluster access while minimizing the attack surface. Which Service type should you use?
You are deploying a Cassandra cluster as a StatefulSet named 'cassandra' in the 'data' namespace. The application requires each pod to be individually addressable via a stable DNS name so peers can discover each other directly, rather than routing through a single virtual IP that load-balances requests. Which Service configuration will produce per-pod DNS A records like 'cassandra-0.cassandra.data.svc.cluster.local'?
You deploy an Ingress resource named 'web-ingress' in the 'shop' namespace to route external traffic to a ClusterIP Service. The Service has healthy endpoints and is reachable from inside the cluster. However, after several minutes, 'kubectl get ingress web-ingress -n shop' shows an empty ADDRESS field, and no external traffic reaches the application. What is the most likely cause?
You deployed an NGINX Ingress controller in a bare-metal cluster. The controller Pods are Running, and an Ingress resource with a valid IngressClass points to a backend Service that has healthy endpoints. External clients on the corporate network can reach worker nodes directly by IP, but there is no cloud load balancer available. You want external HTTP traffic to reach the Ingress controller reliably through any node. Which configuration of the Ingress controller's own Service enables this in a bare-metal environment without a cloud provider?
You deploy an Ingress resource that routes traffic for the host 'shop.example.com' to a Service named 'storefront'. The NGINX Ingress controller is running with a valid external IP and the 'storefront' Service has healthy endpoints. A user reports that requests to 'shop.example.com' work correctly, but requests sent to the controller's external IP using a host header of 'unknown.example.com' return a generic 404 from the ingress controller rather than a connection error. Your team wants requests that match no configured host/path rule to be served by a custom maintenance Service instead of the controller's built-in 404 page. What is the correct way to achieve this?
Your cluster runs two Ingress controllers: an NGINX controller (IngressClass 'nginx') for internal apps and an AWS ALB controller (IngressClass 'alb') for public apps. A developer creates an Ingress resource for a public app but omits both the 'spec.ingressClassName' field and the 'kubernetes.io/ingress.class' annotation. The 'nginx' IngressClass has the annotation 'ingressclass.kubernetes.io/is-default-class: "true"'. The public app is unreachable from the internet. What is the most likely cause?
You deployed an NGINX Ingress controller and created an Ingress resource that maps host 'shop.example.com' with path '/api' (pathType: Prefix) to service 'api-svc:8080' and path '/' to service 'web-svc:80'. Requests to 'shop.example.com/' work correctly, but requests to 'shop.example.com/api/orders' return a 503 Service Temporarily Unavailable from NGINX. The web-svc endpoints are healthy. What is the MOST likely cause of the 503?
You deploy an Ingress resource named 'shop-ingress' in the 'ecommerce' namespace to expose an HTTPS endpoint for shop.example.com. You reference a TLS secret named 'shop-tls' in the spec.tls section. The Ingress controller is running and healthy, and HTTP requests to the host route correctly, but HTTPS requests fail with a default self-signed certificate being served instead of your certificate. Running 'kubectl get secret shop-tls -n default' shows the secret exists there. What is the most likely cause and correct fix?
A team exposes a web application through a Service of type LoadBalancer. The Deployment's Pod template defines two containers: the frontend container listens on port 8080 (named 'http') and a metrics sidecar listens on port 9100 (named 'metrics'). The team wants the external LoadBalancer to route port 80 to the frontend and port 9090 to the metrics endpoint, using container port names rather than hardcoded numbers so future container port changes don't break the Service. Which Service ports configuration achieves this correctly?
You deploy a Service of type LoadBalancer named 'web-lb' in an on-premises bare-metal cluster (installed via kubeadm, no cloud provider integration). After applying the manifest, running 'kubectl get svc web-lb' shows the EXTERNAL-IP column stuck in '<pending>' indefinitely, though the Service has a valid ClusterIP and healthy endpoints. What is the most likely cause and appropriate remediation?
Your team runs a web application behind a Service of type LoadBalancer on a managed cloud cluster. The application logs show that every incoming request appears to originate from a cluster node's internal IP address rather than the real client IP. The security team requires the actual client source IP to be preserved for audit logging. Which change to the Service will preserve the original client source IP?
A team runs a payments API in the namespace 'payments' with pods labeled 'app=payments-api'. Security requires that only pods running in namespaces labeled 'tier=frontend' be allowed to connect to the payments API on TCP port 8443, and all other ingress must be denied. No NetworkPolicy currently exists in the 'payments' namespace. Which NetworkPolicy correctly enforces this requirement?
A backend Deployment exposes a Pod with label app=payments listening on TCP 8080. Currently all traffic to these Pods is permitted. The security team requires that only Pods labeled role=frontend within the same namespace may reach the payments Pods, and only on port 8080. All other ingress must be blocked. Which NetworkPolicy correctly enforces this requirement?
A namespace 'payments' has no NetworkPolicies. You apply a single NetworkPolicy that selects all pods in the namespace, sets 'policyTypes: [Ingress]', and defines one ingress rule allowing traffic only from pods labeled 'app=frontend'. After applying it, the payments pods can no longer reach the external billing API on the internet, even though the ingress rule seems unrelated to outbound traffic. What is the actual cause of the broken outbound connectivity?
You apply a NetworkPolicy in the 'payments' namespace that selects all pods and sets 'policyTypes: [Egress]' with an empty egress rules array to establish a default-deny-egress posture. Immediately afterward, application pods start failing with errors resolving service names, though they were previously healthy. You must keep the default-deny-egress baseline but restore functionality. What is the correct fix?
A frontend Pod in the 'web' namespace must reach a backend Service in the 'api' namespace. You applied a default-deny egress NetworkPolicy to the 'web' namespace, then added a policy allowing egress to Pods labeled 'app=api' in the 'api' namespace on TCP 8080. The frontend can no longer resolve or reach the backend, and application logs show DNS lookup failures for the backend Service name. What must you add to restore connectivity while keeping egress restricted?
A team deploys the 'payments' application into the 'finance' namespace. Security requires that pods in 'finance' may only send traffic to other pods within the same namespace, while continuing to resolve DNS via CoreDNS in kube-system. All other egress must be blocked. The CNI plugin fully supports NetworkPolicy. Which NetworkPolicy configuration correctly enforces this?
An application team runs Pods labeled app=payments in the checkout namespace. A cluster-wide default-deny egress policy is already in place. The Pods must be able to connect to an external payment gateway at IP 203.0.113.50 on TCP port 443, but must not be able to reach any other external destination. DNS resolution via CoreDNS (kube-system) is already permitted by a separate policy. Which NetworkPolicy correctly grants only the required egress?
A team runs a Pod labeled app=payments in the finance namespace that must reach an external payment gateway on port 443 by hostname. A default-deny egress NetworkPolicy is already in place for the namespace. After applying an egress policy allowing traffic to the gateway's IP block on port 443, the application still fails with name resolution errors, though direct IP connectivity tests to the gateway succeed. What must be added to the egress policy to fix this?
In the namespace 'payments', a security engineer applies the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: restrict namespace: payments spec: podSelector: {} policyTypes: - Ingress Before this policy, all Pods in 'payments' could freely receive traffic from any source. After applying it, other teams report that Pods in 'payments' are no longer reachable. What is the effect of this policy?
More CKA practice
Keep going with the other Certified Kubernetes Administrator (CKA) domains, or take a full timed mock exam.
← Back to CKA overview