[UPDATED 2026] Linux Foundation KCNA Questions Prepare with Free Demo of PDF [Q126-Q143]

Share

[UPDATED 2026] Linux Foundation KCNA Questions Prepare with Free Demo of PDF

NEW 2026 Certification Sample Questions KCNA Dumps & Practice Exam


Linux Foundation KCNA Certification Exam is an online, proctored exam that consists of 40 multiple-choice questions. KCNA exam is conducted on the EdX platform, which is a leading online learning platform. KCNA exam is designed to test the candidate's understanding of the fundamentals of Kubernetes, containerization, and cloud-native technologies. KCNA exam covers topics such as Kubernetes architecture, deployment, configuration, and troubleshooting.

 

NEW QUESTION # 126
The Container Runtime Interface (CRI) defines the protocol for the communication between:

  • A. The container runtime and etcd.
  • B. The kube-apiserver and the kubelet.
  • C. The kubelet and the container runtime.
  • D. The container runtime and the image registry.

Answer: C

Explanation:
The CRI (Container Runtime Interface) defines how the kubelet talks to the container runtime, so A is correct. The kubelet is the node agent responsible for ensuring containers are running in Pods on that node. It needs a standardized way to request operations such as: create a Pod sandbox, pull an image, start/stop containers, execute commands, attach streams, and retrieve logs. CRI provides that contract so kubelet does not need runtime-specific integrations.
This interface is a key part of Kubernetes' modular design. Different container runtimes implement the CRI, allowing Kubernetes to run with containerd, CRI-O, and other CRI-compliant runtimes. This separation of concerns lets Kubernetes focus on orchestration, while runtimes focus on executing containers according to the OCI runtime spec, managing images, and handling low-level container lifecycle.
Why the other options are incorrect:
* etcd is the control plane datastore; container runtimes do not communicate with etcd via CRI.
* kube-apiserver and kubelet communicate using Kubernetes APIs, but CRI is not their protocol; CRI is specifically kubelet # runtime.
* container runtime and image registry communicate using registry protocols (image pull/push APIs), but that is not CRI. CRI may trigger image pulls via runtime requests, yet the actual registry communication is separate.
Operationally, this distinction matters when debugging node issues. If Pods are stuck in "ContainerCreating" due to image pull failures or runtime errors, you often investigate kubelet logs and the runtime (containerd
/CRI-O) logs. Kubernetes administrators also care about CRI streaming (exec/attach/logs streaming), runtime configuration, and compatibility across Kubernetes versions.
So, the verified answer is A: the kubelet and the container runtime.
=========


NEW QUESTION # 127
What is CloudEvents?

  • A. It is a specification for describing event data in common formats in all cloud providers including major cloud providers.
  • B. It is a specification for describing event data in common formats to provide interoperability across services, platforms and systems.
  • C. It is a Kubernetes specification for describing events data in common formats for iCloud services, iOS platforms and iMac.
  • D. It is a specification for describing event data in common formats for Kubernetes network traffic management and cloud providers.

Answer: B

Explanation:
CloudEvents is an open specification for describing event data in a common way to enable interoperability across services, platforms, and systems, so C is correct. In cloud-native architectures, many components communicate asynchronously via events (message brokers, event buses, webhooks). Without a standard envelope, each producer and consumer invents its own event structure, making integration brittle. CloudEvents addresses this by standardizing core metadata fields-like event id, source, type, specversion, and time-and defining how event payloads are carried.
This helps systems interoperate regardless of transport. CloudEvents can be serialized as JSON or other encodings and carried over HTTP, messaging systems, or other protocols. By using a shared spec, you can route, filter, validate, and transform events more consistently.
Option A is too narrow and incorrectly ties CloudEvents to Kubernetes traffic management; CloudEvents is broader than Kubernetes. Option B is closer but still framed incorrectly-CloudEvents is not merely "for all cloud providers," it is an interoperability spec across services and platforms, including but not limited to cloud provider event systems. Option D is clearly incorrect.
In Kubernetes ecosystems, CloudEvents is relevant to event-driven systems and serverless platforms (e.g., Knative Eventing and other eventing frameworks) because it provides a consistent event contract across producers and consumers. That consistency reduces coupling, supports better tooling (schema validation, tracing correlation), and makes event-driven architectures easier to operate at scale.
So, the correct definition is C: a specification for common event formats to enable interoperability across systems.


NEW QUESTION # 128
What are the most important resources to guarantee the performance of an etcd cluster?

  • A. CPU and RAM memory.
  • B. CPU and disk capacity.
  • C. Network throughput and CPU.
  • D. Network throughput and disk I/O.

Answer: D

Explanation:
etcd is the strongly consistent key-value store backing Kubernetes cluster state. Its performance directly affects the entire control plane because most API operations require reads/writes to etcd. The most critical resources for etcd performance are disk I/O (especially latency) and network throughput/latency between etcd members and API servers-so B is correct.
etcd is write-ahead-log (WAL) based and relies heavily on stable, low-latency storage. Slow disks increase commit latency, which slows down object updates, watches, and controller loops. In busy clusters, poor disk performance can cause request backlogs and timeouts, showing up as slow kubectl operations and delayed controller reconciliation. That's why production guidance commonly emphasizes fast SSD-backed storage and careful monitoring of fsync latency.
Network performance matters because etcd uses the Raft consensus protocol. Writes must be replicated to a quorum of members, and leader-follower communication is continuous. High network latency or low throughput can slow replication and increase the time to commit writes. Unreliable networking can also cause leader elections or cluster instability, further degrading performance and availability.
CPU and memory are still relevant, but they are usually not the first bottleneck compared to disk and network.
CPU affects request processing and encryption overhead if enabled, while memory affects caching and compaction behavior. Disk "capacity" alone (size) is less relevant than disk I/O characteristics (latency, IOPS), because etcd performance is sensitive to fsync and write latency.
In Kubernetes operations, ensuring etcd health includes: using dedicated fast disks, keeping network stable, enabling regular compaction/defragmentation strategies where appropriate, sizing correctly (typically odd- numbered members for quorum), and monitoring key metrics (commit latency, fsync duration, leader changes). Because etcd is the persistence layer of the API, disk I/O and network quality are the primary determinants of control-plane responsiveness-hence B.
=========


NEW QUESTION # 129
Which of the following would fall under the responsibilities of an SRE?

  • A. Submitting a budget for running an application in a cloud.
  • B. Creating a monitoring baseline for an application.
  • C. Developing a new application feature.
  • D. Writing policy on how to submit a code change.

Answer: B

Explanation:
Site Reliability Engineering (SRE) focuses on reliability, availability, performance, and operational excellence using engineering approaches. Among the options, creating a monitoring baseline for an application is a classic SRE responsibility, so B is correct. A monitoring baseline typically includes defining key service-level signals (latency, traffic, errors, saturation), establishing dashboards, setting sensible alert thresholds, and ensuring telemetry is complete enough to support incident response and capacity planning.
In Kubernetes environments, SRE work often involves ensuring that workloads expose health endpoints for probes, that resource requests/limits are set to allow stable scheduling and autoscaling, and that observability pipelines (metrics, logs, traces) are consistent. Building a monitoring baseline also ties into SLO/SLI practices: SREs define what "good" looks like, measure it continuously, and create alerts that notify teams when the system deviates from those expectations.
Option A is primarily an application developer task-SREs may contribute to reliability features, but core product feature development is usually owned by engineering teams. Option C is more aligned with finance, FinOps, or management responsibilities, though SRE data can inform costs. Option D is closer to governance, platform policy, or developer experience/process ownership; SREs might influence processes, but "policy on how to submit code change" is not the defining SRE duty compared to monitoring and reliability engineering.
Therefore, the best verified choice is B, because establishing monitoring baselines is central to operating reliable services on Kubernetes.


NEW QUESTION # 130
You have a Kubernetes cluster with a pod that uses a resource limit of 100m CPU. What happens if the pod requests more CPU resources than the limit?

  • A. The pod will be throttled and its performance will be impacted.
  • B. The pod will be scheduled on a different node with more available resources.
  • C. The pod will be killed and restarted.
  • D. The pod will be automatically scaled down to 100m CPU.
  • E. The pod will continue to run using the requested amount of CPU.

Answer: A

Explanation:
The pod will be throttled and its performance will be impacted. The CPIJ limit acts as a hard ceiling, preventing the pod from consuming more resources than specified. Even if the pod requests more CPU, it will be constrained to the limit, leading to performance degradation. The pod will not be killed, restarted, or automatically scaled down. It will continue to run, but its performance will be affected due to the resource constraint.


NEW QUESTION # 131
Your organization is adopting a cloud-native approach and plans to migrate several legacy applications to Kubernetes. Which role would be primarily responsible for designing and implementing the overall Kubernetes infrastructure, including resource allocation, networking, and security policies?

  • A. Cloud Architect
  • B. Data Scientist
  • C. Site Reliability Engineer (SRE)
  • D. Security Engineer
  • E. DevOps Engineer

Answer: A

Explanation:
A Cloud Architect is responsible for the overall design, implementation, and management of cloud-based infrastructure, including Kubernetes- They ensure the infrastructure meets the organization's needs for scalability, security, and performance.


NEW QUESTION # 132
Flux is built using which toolkit?

  • A. GitOps
  • B. CI/CD
  • C. DevOps
  • D. DevSecOps

Answer: A

Explanation:
https://fluxcd.io/


NEW QUESTION # 133
What is Serverless computing?

  • A. A computing method of providing services for quantum computing operating systems.
  • B. A computing method of providing services for cloud computing operating systems.
  • C. A computing method of providing backend services on an as-used basis.
  • D. A computing method of providing services for AI and ML operating systems.

Answer: C

Explanation:
Serverless computing is a cloud execution model where the provider manages infrastructure concerns and you consume compute as a service, typically billed based on actual usage (requests, execution time, memory), which matches A. In other words, you deploy code (functions) or sometimes containers, configure triggers (HTTP events, queues, schedules), and the platform automatically provisions capacity, scales it up/down, and handles much of availability and fault tolerance behind the scenes.
From a cloud-native architecture standpoint, "serverless" doesn't mean there are no servers; it means developers don't manage servers. The platform abstracts away node provisioning, OS patching, and much of runtime scaling logic. This aligns with the "as-used basis" phrasing: you pay for what you run rather than maintaining always-on capacity.
It's also useful to distinguish serverless from Kubernetes. Kubernetes automates orchestration (scheduling, self-healing, scaling), but operating Kubernetes still involves cluster-level capacity decisions, node pools, upgrades, networking baseline, and policy. With serverless, those responsibilities are pushed further toward the provider/platform. Kubernetes can enable serverless experiences (for example, event-driven autoscaling frameworks), but serverless as a model is about a higher level of abstraction than "orchestrate containers yourself." Options B, C, and D are incorrect because they describe specialized or vague "operating system" services rather than the commonly accepted definition. Serverless is not specifically about AI/ML OSs or quantum OSs; it's a general compute delivery model that can host many kinds of workloads.
Therefore, the correct definition in this question is A: providing backend services on an as-used basis.
=========


NEW QUESTION # 134
Which of the following resources helps in managing a stateless application workload on a Kubernetes cluster?

  • A. DaemonSet
  • B. kubectl
  • C. Deployment
  • D. StatefulSet

Answer: C

Explanation:
The correct answer is D: Deployment. A Deployment is the standard Kubernetes controller for managing stateless applications. It provides declarative updates, replica management, and rollout/rollback functionality.
You define the desired state (container image, environment variables, ports, replica count) in the Deployment spec, and Kubernetes ensures the specified number of Pods are running and updated according to strategy (RollingUpdate by default).
Stateless workloads are ideal for Deployments because each replica is interchangeable. If a Pod dies, a new one can be created anywhere; if traffic increases, replicas can be increased; if you need to update the app, a new ReplicaSet is created and traffic shifts gradually to new Pods. Deployments integrate naturally with Services for stable networking and load balancing.
Why the other options are incorrect:
* A DaemonSet ensures one Pod per node (or selected nodes). It's for node-level agents, not generic stateless service replicas.
* A StatefulSet is for workloads needing stable identity, ordered rollout, and persistent storage per replica (databases, quorum systems). That's not the typical stateless app case.
* kubectl is a CLI tool; it doesn't "manage" workloads as a controller resource.
In real cluster operations, almost every stateless microservice is represented as a Deployment plus a Service (and often an Ingress/Gateway for edge routing). Deployments also support advanced delivery patterns (maxSurge/maxUnavailable tuning) and easy integration with HPA for horizontal scaling. Because the question is specifically "managing a stateless application workload," the Kubernetes resource designed for that is clearly the Deployment.
=========


NEW QUESTION # 135
You are running a microservice-based application in Kubernetes. Each service has its own HPA configured for scaling. How can you ensure that the scaling decisions for different services are coordinated to prevent resource contention?

  • A. Configure each HPA to scale based on the resource usage of other services.
  • B. Use a distributed cache to store and share scaling metrics across different HPAs
  • C. Utilize resource quotas to limit the resources allocated to each service, preventing resource contention.
  • D. Create a custom controller to monitor resource usage across all services and coordinate scaling decisions.
  • E. Use a single HPA for all microservices to manage scaling centrally.

Answer: C,D

Explanation:
Both resource quotas and a custom controller can help prevent resource contention. Resource quotas limit the resources each service can consume, preventing one service from monopolizing resources- A custom controller can monitor resource usage across all services and make coordinated scaling decisions to avoid over-provisioning and resource exhaustion.


NEW QUESTION # 136
What is the primary mechanism to identify grouped objects in a Kubernetes cluster?

  • A. Pod
  • B. Label Selector
  • C. Labels
  • D. Custom Resources

Answer: C

Explanation:
Kubernetes groups and organizes objects primarily using labels, so B is correct. Labels are key-value pairs attached to objects (Pods, Deployments, Services, Nodes, etc.) and are intended to be used for identifying, selecting, and grouping resources in a flexible, user-defined way.
Labels enable many core Kubernetes behaviors. For example, a Service selects the Pods that should receive traffic by matching a label selector against Pod labels. A Deployment's ReplicaSet similarly uses label selectors to determine which Pods belong to the replica set. Operators and platform tooling also rely on labels to group resources by application, environment, team, or cost center. This is why labeling is considered foundational Kubernetes hygiene: consistent labels make automation, troubleshooting, and governance easier.
A "label selector" (option C) is how you query/group objects based on labels, but the underlying primary mechanism is still the labels themselves. Without labels applied to objects, selectors have nothing to match. Custom Resources (option A) extend the API with new kinds, but they are not the primary grouping mechanism across the cluster. "Pod" (option D) is a workload unit, not a grouping mechanism.
Practically, Kubernetes recommends common label keys like app.kubernetes.io/name, app.kubernetes.io/instance, and app.kubernetes.io/part-of to standardize grouping. Those conventions improve interoperability with dashboards, GitOps tooling, and policy engines.
So, when the question asks for the primary mechanism used to identify grouped objects in Kubernetes, the most accurate answer is Labels (B)-they are the universal metadata primitive used to group and select resources.


NEW QUESTION # 137
What is container runtime?

  • A. The amount of time it takes a container to execute
  • B. Another term of kubelet or kubectl
  • C. A container image format
  • D. Software that runs containers

Answer: D

Explanation:
https://www.aquasec.com/cloud-native-academy/container-security/container-runtime/


NEW QUESTION # 138
What is the smallest possible unit in Kubernetes to run a container?

  • A. pod
  • B. service
  • C. container
  • D. docker

Answer: A

Explanation:
https://kubernetes.io/docs/concepts/workloads/pods/


NEW QUESTION # 139
What is the purpose of the kube-proxy component in Kubernetes?

  • A. Manages the Kubernetes API server and handles authentication and authorization requests.
  • B. Provides a secure and reliable connection between the Kubernetes control plane and nodes-
  • C. Stores the configuration and state of the Kubernetes cluster
  • D. Monitors and manages the health and status of Pods and other Kubernetes objects
  • E. Enables communication between Pods and services within a Kubernetes cluster.

Answer: E

Explanation:
kube-proxy acts as a network proxy that enables communication between Pods and services within a Kubernetes cluster. It handles service discovery, load balancing, and network rules for Pods.


NEW QUESTION # 140
Which is the correct kubectl command to display logs in real time?

  • A. kubectl logs -c test-container-1
  • B. kubectl logs -f test-container-1
  • C. kubectl logs -l test-container-1
  • D. kubectl logs -p test-container-1

Answer: B

Explanation:
To stream logs in real time with kubectl, you use the follow option -f, so D is correct. In Kubernetes, kubectl logs retrieves logs from containers in a Pod. By default, it returns the current log output and exits. When you add -f, kubectl keeps the connection open and continuously prints new log lines as they are produced, similar to tail -f on Linux. This is especially useful for debugging live behavior, watching startup sequences, or monitoring an application during a rollout.
The other flags serve different purposes. -p (as seen in option A) requests logs from the previous instance of a container (useful after a restart/crash), not real-time streaming. -c (option B) selects a specific container within a multi-container Pod; it doesn't stream by itself (though it can be combined with -f). -l (option C) is used with kubectl logs to select Pods by label, but again it is not the streaming flag; streaming requires -f.
In real troubleshooting, you commonly combine flags, e.g. kubectl logs -f pod-name -c container-name for streaming logs from a specific container, or kubectl logs -f -l app=myapp to stream from Pods matching a label selector (depending on kubectl behavior/version). But the key answer to "display logs in real time" is the follow flag: -f.
Therefore, the correct selection is D.
________________________________________


NEW QUESTION # 141
Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called:

  • A. Containers
  • B. cgroups
  • C. Hypervisors
  • D. Namespaces

Answer: D

Explanation:
Kubernetes provides "virtual clusters" within a single physical cluster primarily through Namespaces, so A is correct. Namespaces are a logical partitioning mechanism that scopes many Kubernetes resources (Pods, Services, Deployments, ConfigMaps, Secrets, etc.) into separate environments. This enables multiple teams, applications, or environments (dev/test/prod) to share a cluster while keeping their resource names and access controls separated.
Namespaces are often described as "soft multi-tenancy." They don't provide full isolation like separate clusters, but they do allow administrators to apply controls per namespace:
RBAC rules can grant different permissions per namespace (who can read Secrets, who can deploy workloads, etc.).
ResourceQuotas and LimitRanges can enforce fair usage and prevent one namespace from consuming all cluster resources.
NetworkPolicies can isolate traffic between namespaces (depending on the CNI).
Containers are runtime units inside Pods and are not "virtual clusters." Hypervisors are virtualization components for VMs, not Kubernetes partitioning constructs. cgroups are Linux kernel primitives for resource control, not Kubernetes virtual cluster constructs.
While there are other "virtual cluster" approaches (like vcluster projects) that create stronger virtualized control planes, the built-in Kubernetes mechanism referenced by this question is namespaces. Therefore, the correct answer is A: Namespaces.


NEW QUESTION # 142
There are three Nodes in a cluster, and want to run exactly one replica of a Pod on each Node. Pre-fer to automatically create a replica on any new Nodes when they are added. Which Kubernetes re-source should you use?

  • A. StatefulSet
  • B. DaemonSet
  • C. NodeSet
  • D. Deployment
  • E. ReplicaSet

Answer: B

Explanation:
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
A DaemonSet runs replicas on all (or just some) Nodes in the cluster.


NEW QUESTION # 143
......

KCNA Deluxe Study Guide with Online Test Engine: https://passleader.testpassking.com/KCNA-exam-testking-pass.html