live chatMcAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Pass4Test 10%OFF Discount Code

Linux Foundation Certified Kubernetes Application Developer - CKAD Exam Questions

QUESTION NO: 1
Context
You must connect to the correct host . Failure to do so may result in a zero score.
!
[candidate@base] $ ssh ckad00028
Task
A Pod within the Deployment named honeybee-deployment and in namespace gorilla is logging errors.
Look at the logs to identify error messages.
Look at the logs to identify error messages.
Find errors, including User
"system:serviceaccount:gorilla:default" cannot list resource "pods" [ ... ] in the namespace "gorilla" Update the Deployment honeybee-deployment to resolve the errors in the logs of the Pod.
The honeybee-deployment 's manifest file can be found at
/home/candidate/prompt-escargot/honey bee-deployment.yaml
Correct Answer:
See the Explanation below for complete solution.
Explanation:
ssh ckad00028
You're seeing RBAC errors like:
User "system:serviceaccount:gorilla:default" cannot list resource "pods" ... in namespace "gorilla" That means the Pod is running as the default ServiceAccount and needs permission to list pods (and possibly also get/watch).
You must fix it by updating the Deployment (via its manifest file) and giving it the proper RBAC.
1) Confirm the error in logs
kubectl -n gorilla get deploy honeybee-deployment
kubectl -n gorilla logs deploy/honeybee-deployment --tail=200
If it's CrashLooping and you need previous logs:
POD=$(kubectl -n gorilla get pods -l app=honeybee -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || kubectl -n gorilla get pods -o jsonpath='{.items[0].metadata.name}') kubectl -n gorilla logs "$POD" --previous --tail=200 You should see the "cannot list resource pods" line.
2) Create a dedicated ServiceAccount for the app
(Using a dedicated SA is standard practice; the task wants you to "resolve the errors".) kubectl -n gorilla create serviceaccount honeybee-sa kubectl -n gorilla get sa honeybee-sa
3) Create RBAC: Role + RoleBinding (namespaced)
This will allow listing pods in namespace gorilla.
cat <<'EOF' > honeybee-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: honeybee-pod-reader
namespace: gorilla
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: honeybee-pod-reader-binding
namespace: gorilla
subjects:
- kind: ServiceAccount
name: honeybee-sa
namespace: gorilla
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: honeybee-pod-reader
EOF
Apply it:
kubectl apply -f honeybee-rbac.yaml
Quick verification (optional but very useful):
kubectl auth can-i list pods -n gorilla --as=system:serviceaccount:gorilla:honeybee-sa Should return yes.
4) Update the Deployment manifest to use the new ServiceAccount
The manifest is at:
/home/candidate/prompt-escargot/honey bee-deployment.yaml
Because there's a space in the filename, quote it.
4.1 Edit the file
cd /home/candidate/prompt-escargot
ls -l
vi "honey bee-deployment.yaml"
In the Deployment YAML, add (or set) this under:
spec.template.spec:
serviceAccountName: honeybee-sa
Example location:
spec:
template:
spec:
serviceAccountName: honeybee-sa
containers:
- name: ...
Save and exit.
4.2 Apply the updated manifest
kubectl apply -f "/home/candidate/prompt-escargot/honey bee-deployment.yaml"
5) Ensure rollout succeeds and errors are gone
kubectl -n gorilla rollout status deploy honeybee-deployment
kubectl -n gorilla logs deploy/honeybee-deployment --tail=200
Also confirm the pods now run with the right ServiceAccount:
kubectl -n gorilla get pods -o jsonpath='{range .items[*]}{.metadata.name}{" sa="}{.spec.
serviceAccountName}{"\n"}{end}'
You should no longer see the RBAC "cannot list pods" errors.
QUESTION NO: 2
You have a Deployment named 'wordpress-deployment' that runs a WordPress application. You want to ensure that Kubernetes automatically restarts pods if tney experience an unexpected termination, such as a container crasn. Implement the necessary configuration for your deployment.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
I). Update the Deployment YAML:
- Add the 'restartpolicy: Always to the 'spec.template_spec.containers' section of your Deployment YAML. This ensures that the pod will always be restarted if a container terminates unexpectedly.

2. Apply the Deployment - Apply the updated Deployment YAML using: bash kubectl apply -f wordpress-deployment-yaml 3. Test the Restart Policy: - Simulate a container crash within a pod (e.g., by sending a SIGKILL Signal to the container). - Observe the pod status using 'kuactl get pods -l app=wordpress' . You snould see the pod being automatically restarted, and the 'STATUS should become 'Running' again. Important Note: - The restaAPolicy: Always' is the default setting for Kubernetes deployments. By explicitly adding it to your YAML, you ensure that this behavior is documented and consistent within your deployment configuration.,
QUESTION NO: 3
You have a container image for a web application that uses a specific version of a Java library_ You want to update this library to a newer version, but you are concerned about potential compatibility issues. Describe the steps involved in modifying the container image to include both the old and new versions of the library, allowing you to selectively use either version based on your needs.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Dockerfile:
- Create a new 'Dockerfile' with the following content

- Replace 'your-java-library' with the actual Java library name. - Replace 'new-version' and 'old-version' with the desired versions. - Adjust the 'apt-get' commands to match the package manager of your chosen base image. 2. Build the Image: - Build the image using tne Dockefflle: docker build -t updated-image:latest 3. Modify your application code: - Modify your Java code to explicitly use the desired version of the library. You can achieve this by: - Setting a System Property: Pass the desired version as a system property to the JVM, and your application can then read and use it. - Using the Classpath: Add the specific jar file for the desired version to the classpath at runtime. - Conditional Loading: Implement logic in your code to determine which version to use based on specific conditions or user input. 4. Update the Deployment: - Modify your Deployment YAML file to use the newly built image:

5. Apply the Changes: - Apply the updated Deployment using ' kubectl apply -f deployment_yamr 6. Test the Application: - Access your application and ensure it functions correctly with both versions of the library. You should be able to test both versions of the library and switch between them based on your requirements.,
QUESTION NO: 4

Task:
Create a Deployment named expose in the existing ckad00014 namespace running 6 replicas of a Pod.
Specify a single container using the ifccncf/nginx: 1.13.7 image
Add an environment variable named NGINX_PORT with the value 8001 to the container then expose port
8001
Correct Answer:
See the solution below.
Explanation:
Solution:


QUESTION NO: 5

Given a container that writes a log file in format A and a container that converts log files from format A to format B, create a deployment that runs both containers such that the log files from the first container are converted by the second container, emitting logs in format B.
Task:
* Create a deployment named deployment-xyz in the default namespace, that:
*Includes a primary
lfccncf/busybox:1 container, named logger-dev
*includes a sidecar Ifccncf/fluentd:v0.12 container, named adapter-zen
*Mounts a shared volume /tmp/log on both containers, which does not persist when the pod is deleted
*Instructs the logger-dev
container to run the command

which should output logs to /tmp/log/input.log in plain text format, with example values:

* The adapter-zen sidecar container should read /tmp/log/input.log and output the data to /tmp/log/output.* in Fluentd JSON format. Note that no knowledge of Fluentd is required to complete this task: all you will need to achieve this is to create the ConfigMap from the spec file provided at /opt/KDMC00102/fluentd-configma p.yaml , and mount that ConfigMap to /fluentd/etc in the adapter-zen sidecar container See the solution below.
Correct Answer:
Solution:





QUESTION NO: 6
You are running a web application with multiple services exposed via Kubernetes Ingress. The application has two distinct environments: 'staging' and 'production' , each with its own set of services and domain names. You need to configure Ingress rules to route traffic to the appropriate services based on the requested hostname and environment. For example, requests to 'staging.example.com' should be directed to the staging environment, while requests to 'example.com' should go to the production environment. Implement this configuration using Ingress rules.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Service for Each Environment:
- Define services for both 'staging' and 'production' environments, ensuring that the services for each environment are named appropriately. For example, 'staging-service' and .

2. Create an Ingress Resource: - Define an Ingress resource that maps the hostnames to the corresponding services.

3. Apply the Configuration: - Apply the service and ingress definitions using 'kubectl apply -f services.yaml' and 'kubectl apply -f ingress.yaml' respectively. 4. Test the Configuration: - Access 'staging.example.com' and 'example.com' in your browser to ensure that the traffic is directed to the correct services and environments. ,
QUESTION NO: 7
You nave a multi-container pod tnat uses a database container and an application container. The database container is responsible for storing sensitive datm You need to ensure that the database container only runs on nodes that have a specific label, like 'sensitive-data=true', for added security. How would you implement this constraint using Pod Affinity and node selectors?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define Node Labels:
- First, you need to label your nodes appropriately. I-Jse ' kubectl label nodes sensitive-data=true' for nodes that should host the database container
2. Create Pod Affinity Rules:
- In your pod definition, add a 'nodeselector' to enforce the requirement.

3. Apply the Pod Definition: - Apply the updated pod definition using 'kubectl apply -f my-app-yaml' 4. Verification: - Check the pod status using 'kubectl get pods my-app'. Ensure the pod is scheduled on a node with the 'sensitive-data-true label. 5. Further Security: - You can additionally use 'podAffinity' to ensure that the database container and the application container run on different nodes. This adds an extra layer of security in case one node is compromised.

- In this example, 'podAntiAtfinitys Witn 'requiredDuringScnedulinglgnoredDunngExecution' ensures tnat tne database container and tne application container are not scheduled on the same node, thus preventing potential data breaches. ,
QUESTION NO: 8

Set Configuration Context:
[student@node-1] $ | kubectl
Config use-context k8s
Task
You have rolled out a new pod to your infrastructure and now you need to allow it to communicate with the web and storage pods but nothing else. Given the running pod kdsn00201 -newpod edit it to use a network policy that will allow it to send and receive traffic only to and from the web and storage pods.

Correct Answer:
See the solution below.
Explanation:
To allow a pod to send and receive traffic only to and from specific pods, you can use network policies in Kubernetes.
First, you will need to create a network policy that defines the allowed traffic. You can create a network policy yaml file with the following rules:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: newpod-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: kdsn00201-newpod
ingress:
- from:
- podSelector:
matchLabels:
app: web
- podSelector:
matchLabels:
app: storage
This policy will only allow incoming traffic to the pod with the label app=kdsn00201-newpod from pods with the label app=web or app=storage. If you have different labels on your web and storage pods please update the matchLabels accordingly.
Once you have created the network policy, you can apply it to the cluster by running the following command:
kubectl apply -f <network-policy-file>.yaml
This will apply the network policy to the cluster, and the newpod will only be able to send and receive traffic to and from the web and storage pods.
Please note that, NetworkPolicy resource is not available by default, you need to enable the NetworkPolicy feature on your Kubernetes cluster. This feature is enabled by default on some clusters and must be explicitly enabled on others. You can check if NetworkPolicy is available by running the command kubectl api-versions
| grep networking
Also, you need to ensure that the pods that you want to allow traffic to and from are running on the same namespace.
QUESTION NO: 9
You are building a Kubernetes application that involves a microservice architecture with multiple pods for each service. One of your services requires a sidecar container to handle logging and monitoring. How would you design the pod structure and define the relationships between the application container and the sidecar container?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define Pod Specification:
- Create a pod definition file (e.g., 'pod.yaml').
- Include the 'apiVersion', 'kind', 'metadata' (name, labels), and 'spec' sections.
2. Define Application Container:
- Within the 'spec.containerS section, define the primary application container:
- 'name': Provide a descriptive name for the application container (e.g., 'app').
- Simage: Specify the Docker image for the application.
- 'ports': Define any ports that the application exposes.
- 'resources': (Optional) Specify resource requests and limits for the application container.
3. Define Sidecar Container.
- Add another container definition within the 'spec-containers' section for the sidecar:
- 'name': Provide a name for the sidecar container (e.g., Slogger').
- 'image': Specify the Docker image for the sidecar container (e.g., "busybox'
- 'command': Define the command to run within the sidecar. This might involve using a logging agent, monitoring tool, or any other custom script.
- 'volumeMountss: (Optional) If the sidecar needs access to shared data, mount volumes here.
4. Define Shared Volumes (Optional):
- If necessary, create a 'spec-volumes' section to define any shared volumes that both containers can access. This might include:
- 'emptyDir': For temporary data that only exists within the pod.
- 'persistentVolumeClaim': To use a persistent volume claim for shared data that persists beyond pod restarts.
5. Configure Container Relationships:
- Ensure that the 'name' of the application container and sidecar container is the same as the 'name' used in the 'volumeMounts' section.
Example YAML:

- The pod named 'my-app-pod' includes two containers: 'app' (the primary application) and 'logger' (the sidecar). - The 'loggers container uses a 'command' to simulate logging activity. - Both containers can access the 'logs' volume, which is an empty directory. Important Note: - The sidecar container should ideally be configured to interact with the application container. This might involve using shared volumes, environment variables, or inter-process communication mecnanisms to facilitate data exchange or Signal passing. - Remember to adapt the example to your specific application requirements, choosing the appropriate container images, commands, and volumes.]