Kubernetes and Cloud Native Associate · Domain 2 · 28% of exam

Container Orchestration

Drill 20 practice questions focused entirely on Container Orchestration for the Linux Foundation KCNA exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

During a security review, your team is documenting the '4Cs of Cloud Native Security' model to prioritize where controls should be applied. A colleague argues that if the outermost layer is poorly secured, weaknesses there can undermine all the layers built on top of it. Which layer of the 4Cs model is the outermost, foundational layer that the other three depend on?

Reviewed for accuracy · Report an issue
Question 2 of 20

A small team manually starts and stops containers across a fleet of five servers. As traffic grows, they struggle to keep applications running when a server crashes, to distribute load evenly, and to roll out new versions without downtime. They are evaluating whether to adopt a container orchestrator like Kubernetes. Which capability best explains why orchestration would solve their core problem?

Reviewed for accuracy · Report an issue
Question 3 of 20

A platform engineer is validating whether a newly built Kubernetes cluster conforms to the Kubernetes networking model. They want to confirm the fundamental rule that any CNI implementation must satisfy for the cluster to be considered compliant. Which statement correctly describes a core requirement of the Kubernetes networking model?

Reviewed for accuracy · Report an issue
Question 4 of 20

A platform engineer creates a ClusterRole named 'log-reader' that allows getting and listing pods in all namespaces. They then create a RoleBinding in the 'team-a' namespace that references the 'log-reader' ClusterRole and binds it to the user 'dev-alice'. After this, dev-alice reports she can read pods in 'team-a' but gets 'Forbidden' errors when reading pods in the 'team-b' namespace. What best explains this behavior?

Reviewed for accuracy · Report an issue
Question 5 of 20

You are bringing up a brand-new Kubernetes cluster. The control plane is healthy and worker nodes show status Ready. However, every application Pod you create remains stuck in the ContainerCreating state, and 'kubectl describe pod' shows an event referencing 'failed to set up sandbox: networkPlugin cni failed to set up pod ... no CNI configuration found'. What is the most likely cause?

Reviewed for accuracy · Report an issue
Question 6 of 20

A platform engineer is documenting how the Kubernetes networking model works for a new team. They want to explain which piece of the stack is responsible for assigning each Pod an IP address and enabling Pods on different nodes to reach one another directly, without NAT between them. Which component fulfills this responsibility?

Reviewed for accuracy · Report an issue
Question 7 of 20

A developer complains that two containers in the same Pod cannot reach each other over 'localhost' as they expected, but claims each container should have its own IP. As the platform engineer, how do you correctly explain the Kubernetes networking model for containers within a single Pod?

Reviewed for accuracy · Report an issue
Question 8 of 20

A small team currently runs containers directly on individual VMs using shell scripts. When a container crashes at night, it stays down until someone manually restarts it, causing outages. They are evaluating whether adopting a container orchestrator like Kubernetes would help. Which core orchestration capability most directly addresses their problem of crashed containers staying down?

Reviewed for accuracy · Report an issue
Question 9 of 20

A platform team maintains a Kubernetes cluster and wants the freedom to switch between different container runtimes (for example, from one runtime to another) without modifying the kubelet or rebuilding the control plane. Which design element of Kubernetes makes this runtime interchangeability possible?

Reviewed for accuracy · Report an issue
Question 10 of 20

A security review of your team's Kubernetes workloads finds that several containers run as the root user (UID 0) inside their images. Your security lead asks you to reduce the risk that a compromised container could escalate privileges on the host. Which change to the Pod specification most directly addresses this concern as a container security basic?

Reviewed for accuracy · Report an issue
Question 11 of 20

A platform team is designing a cluster and wants to understand the layered responsibility for actually starting containers on a node. The kubelet does not run containers itself. Which statement correctly describes how the kubelet gets a container running on a node?

Reviewed for accuracy · Report an issue
Question 12 of 20

Your platform team is evaluating whether to replace the container runtime on your Kubernetes nodes from containerd to CRI-O. A colleague worries this will require rewriting the kubelet or changing how pods are defined. What is the primary benefit that the Container Runtime Interface (CRI) provides in this situation?

Reviewed for accuracy · Report an issue
Question 13 of 20

Your team is upgrading a Kubernetes cluster and notices in the release notes that the built-in Docker integration (dockershim) has been removed. The nodes currently use Docker as the container runtime. What is the primary reason Kubernetes was able to remove this integration without breaking support for existing OCI container images?

Reviewed for accuracy · Report an issue
Question 14 of 20

A platform team wants their cloud provider to release new storage features (like custom volume provisioning) without waiting for the storage logic to be merged into the main Kubernetes source code and shipped in a Kubernetes release. Which design goal of the Container Storage Interface (CSI) directly addresses this requirement?

Reviewed for accuracy · Report an issue
Question 15 of 20

A platform team wants to attach volumes from a new commercial storage vendor to their Kubernetes pods. The vendor ships a plugin that integrates with Kubernetes without requiring changes to the core Kubernetes source code or recompiling the kubelet. Which Kubernetes mechanism makes this vendor-provided storage integration possible?

Reviewed for accuracy · Report an issue
Question 16 of 20

A team runs a PostgreSQL database on Kubernetes using a PersistentVolumeClaim backed by a CSI driver that supports the snapshot feature. Before applying a risky schema migration, they want to capture a point-in-time copy of the database volume so they can quickly restore it if the migration fails. Which Kubernetes resource should they create to accomplish this?

Reviewed for accuracy · Report an issue
Question 17 of 20

A team runs a single-container Pod that caches temporary processing files in a volume defined as 'emptyDir'. During testing, a developer notices that after the Pod is deleted and rescheduled onto another node, all the cached files are gone. They ask you to explain this behavior. What is the correct explanation for why the data did not persist?

Reviewed for accuracy · Report an issue
Question 18 of 20

A developer configures a Pod to persist logs using a hostPath volume pointing to /var/data on the node. During testing, the Pod is rescheduled to a different node after the original node is drained, and the application reports that its previously written data is missing. What is the most accurate explanation of this behavior?

Reviewed for accuracy · Report an issue
Question 19 of 20

A developer new to Kubernetes asks why their application pods can reach each other directly using pod IP addresses, even when the pods run on different nodes, without any port mapping or NAT configuration. Which statement best describes the Kubernetes networking model that makes this possible?

Reviewed for accuracy · Report an issue
Question 20 of 20

A security engineer applies two separate NetworkPolicy objects to the pods labeled app=payments in the same namespace. Policy A allows ingress from pods labeled role=frontend, and Policy B allows ingress from pods labeled role=monitoring. A colleague worries that having two policies will cause a conflict where only one set of traffic is permitted. What is the actual effect on ingress traffic to the payments pods?

Reviewed for accuracy · Report an issue

More KCNA practice

Keep going with the other Kubernetes and Cloud Native Associate domains, or take a full timed mock exam.

← Back to KCNA overview