Certified Kubernetes Administrator CKA MCQs with Answers 2026

Certified Kubernetes Administrator CKA MCQs with Answers-Featureimage-mcqstop

40+
MCQs Covered
5
Domains Covered
66%
Pass Score
2026
Updated For

The Certified Kubernetes Administrator (CKA) from the Cloud Native Computing Foundation (CNCF) is the industry’s most respected Kubernetes certification. It validates your ability to design, install, configure, and manage production-grade Kubernetes clusters. Unlike multiple-choice exams, the CKA is 100% hands-on — you solve real problems in a live Kubernetes environment. Whether you’re a DevOps engineer, SRE, cloud engineer, or platform engineer — CKA proves you can operate Kubernetes at scale. These MCQs cover all five exam domains to build the conceptual foundation needed before tackling hands-on practice.

Question 01

Which component of the Kubernetes control plane stores all cluster data and configuration in a key-value format?

Akube-apiserver
Betcd ✅
Ckube-scheduler
Dkube-controller-manager
💡 Explanation: etcd is a consistent, highly available distributed key-value store that serves as Kubernetes’ backing store for ALL cluster data — including node info, pods, configs, secrets, and service accounts. It’s the single source of truth. Only kube-apiserver communicates directly with etcd. Backing up etcd is critical for disaster recovery. The kube-apiserver handles API requests, kube-scheduler assigns pods to nodes, and controller-manager runs control loops.

Question 02

Which component runs on every worker node and is responsible for ensuring containers are running in pods?

Akubelet ✅
Bkube-proxy
Ckube-apiserver
DContainer runtime
💡 Explanation: The kubelet is an agent that runs on every worker node. It receives PodSpecs from the API server and ensures the described containers are running and healthy. If a container crashes, the kubelet restarts it. kube-proxy handles networking rules, kube-apiserver runs on control plane nodes, and the container runtime (containerd, CRI-O) is the software that actually runs containers. Know all node components for CKA.

Question 03

In Kubernetes RBAC, what does a RoleBinding do?

ADefines a set of permissions (verbs on resources)
BGrants the permissions defined in a Role to a user, group, or service account within a namespace ✅
CCreates a new namespace
DEncrypts secrets at rest
💡 Explanation: RBAC has four key objects: Role (namespace-scoped permissions), ClusterRole (cluster-wide permissions), RoleBinding (grants Role to subjects within a namespace), and ClusterRoleBinding (grants ClusterRole cluster-wide). A RoleBinding connects a Role to users/groups/service accounts. Option A describes a Role, not a RoleBinding. Understanding RBAC is critical for the CKA — it’s tested heavily.



2

Workloads & Scheduling

Domain 2 — 15% of Exam

Question 04

What is the smallest deployable unit in Kubernetes?

AContainer
BPod ✅
CDeployment
DNode
💡 Explanation: A Pod is the smallest deployable unit in Kubernetes. A Pod wraps one or more containers that share the same network namespace (IP address), storage volumes, and lifecycle. While containers run the actual application, Kubernetes schedules, scales, and manages Pods — not individual containers. Most Pods run a single container, but sidecar patterns use multiple containers per Pod (logging agents, proxies).

Question 05

Which Kubernetes workload resource ensures that a specified number of pod replicas are running at any given time and handles rolling updates?

AReplicaSet
BDeployment ✅
CDaemonSet
DStatefulSet
💡 Explanation: A Deployment manages ReplicaSets and provides declarative updates, rolling updates, and rollbacks for Pods. It’s the most common way to run stateless applications. A ReplicaSet ensures a set number of pod replicas but doesn’t support rolling updates directly. DaemonSet runs one pod per node (monitoring agents). StatefulSet is for stateful apps needing stable network IDs and persistent storage (databases).

Question 06

How do you scale a Deployment named “webapp” to 5 replicas using kubectl?

Akubectl scale deployment webapp --replicas=5
Bkubectl resize deployment webapp 5
Ckubectl set replicas webapp 5
Dkubectl update deployment webapp --replicas=5
💡 Explanation: kubectl scale deployment webapp --replicas=5 is the correct imperative command. You can also use kubectl edit deployment webapp to modify the YAML directly, or kubectl apply -f with an updated manifest. The CKA exam is hands-on, so knowing kubectl commands is essential. Other useful commands: kubectl get, kubectl describe, kubectl logs, kubectl exec.



3

Services & Networking

Domain 3 — 20% of Exam

Question 07

Which Kubernetes Service type exposes the service on each node’s IP at a static port, allowing external access?

AClusterIP
BNodePort ✅
CLoadBalancer
DExternalName
💡 Explanation: NodePort exposes the service on a static port (30000-32767) on every node’s IP, allowing external traffic via NodeIP:NodePort. ClusterIP (default) is internal-only. LoadBalancer provisions a cloud load balancer (AWS ELB, GCP LB) and is the standard for production external access. ExternalName maps a service to a DNS name. Know all four types and when to use each.

Question 08

Which Kubernetes resource provides HTTP/HTTPS routing to services based on hostnames and URL paths?

AService
BIngress ✅
CNetworkPolicy
DEndpoint
💡 Explanation: Ingress manages external access to services via HTTP/HTTPS, providing URL-based routing, host-based routing, SSL termination, and load balancing. Example: route app.example.com/api to the API service and app.example.com/web to the frontend service. An Ingress Controller (NGINX, Traefik, HAProxy) must be deployed to implement Ingress rules. NetworkPolicy controls pod-to-pod traffic.

Question 09

How does CoreDNS enable service discovery within a Kubernetes cluster?

AIt resolves service names to ClusterIP addresses so pods can communicate using DNS names ✅
BIt assigns IP addresses to pods via DHCP
CIt creates load balancers for each service
DIt encrypts network traffic between pods
💡 Explanation: CoreDNS is the default DNS server in Kubernetes. It allows pods to discover services by name rather than IP address. A service named “frontend” in the “default” namespace can be reached at frontend.default.svc.cluster.local. CoreDNS automatically creates DNS records for services and pods. This is how microservices communicate inside a cluster without hardcoding IP addresses.



4

Storage

Domain 4 — 10% of Exam

Question 10

What is the relationship between a PersistentVolume (PV) and a PersistentVolumeClaim (PVC) in Kubernetes?

AA PV is the actual storage resource; a PVC is a request by a user for that storage ✅
BPV and PVC are the same thing
CA PVC creates the actual storage in the cloud
DPVCs are only used with ConfigMaps
💡 Explanation: A PersistentVolume (PV) is a piece of storage provisioned by an admin (or dynamically via StorageClass). A PersistentVolumeClaim (PVC) is a request for storage by a user — specifying size, access mode, and storage class. Kubernetes binds a matching PV to a PVC. Pods reference the PVC in their spec. Access modes include ReadWriteOnce (RWO), ReadOnlyMany (ROX), and ReadWriteMany (RWX).

Question 11

Which Kubernetes object is used to store non-sensitive configuration data as key-value pairs and inject it into pods as environment variables or files?

ASecret
BConfigMap ✅
CPersistentVolume
DNamespace
💡 Explanation: ConfigMaps store non-sensitive configuration data (database URLs, feature flags, config files) as key-value pairs. They can be consumed as environment variables, command-line arguments, or mounted as volume files. Secrets are similar but designed for sensitive data (passwords, tokens) — they are base64-encoded (not encrypted by default). Know the difference: ConfigMap = non-sensitive config, Secret = sensitive data.



5

Troubleshooting

Domain 5 — 30% of Exam (Highest Weight!)

Question 12

A pod is stuck in CrashLoopBackOff status. Which kubectl command should you use first to diagnose the issue?

Akubectl logs <pod-name>
Bkubectl delete pod <pod-name>
Ckubectl scale deployment --replicas=0
Dkubectl cordon <node>
💡 Explanation: kubectl logs <pod-name> shows the container’s stdout/stderr output — revealing application errors, misconfigurations, or crash reasons. Use --previous flag to see logs from the last crashed container. CrashLoopBackOff means the container starts, crashes, and Kubernetes keeps restarting it with exponential backoff. Also use kubectl describe pod to check events, resource limits, and scheduling issues.

Question 13

A pod is stuck in Pending state. Which is the MOST likely cause?

AThe container image has a bug
BNo node has sufficient resources (CPU/memory) to schedule the pod, or a PVC cannot be bound ✅
CThe Ingress controller is not configured
DDNS resolution is failing
💡 Explanation: A Pending pod hasn’t been scheduled to a node yet. Common causes: insufficient CPU/memory on available nodes, no matching nodeSelector/affinity rules, PVC cannot bind to a PV, taints preventing scheduling, or resource quotas exceeded. Use kubectl describe pod to check the Events section — it will show why scheduling failed. CrashLoopBackOff = already scheduled but crashing. ImagePullBackOff = can’t pull image.

Question 14

A worker node is showing as NotReady in the cluster. What should you check first?

ACheck if the Ingress controller is running
BCheck if kubelet is running on the node and inspect its logs ✅
CRestart the kube-apiserver
DDelete all pods on the node
💡 Explanation: A NotReady node typically means the kubelet has stopped reporting to the control plane. SSH into the node and check: systemctl status kubelet, journalctl -u kubelet for logs. Common causes include kubelet service stopped, container runtime (containerd) crashed, certificate issues, or network connectivity problems. Also check disk pressure and memory with kubectl describe node. Troubleshooting is 30% of the CKA exam — the highest-weighted domain.

🏗️ Kubernetes Architecture Quick Reference

☸️ Control Plane
kube-apiserver — API gateway & auth
etcd — Key-value data store
kube-scheduler — Assigns pods to nodes
kube-controller-manager — Runs controllers
cloud-controller-manager — Cloud integrations
🖥️ Worker Node
kubelet — Ensures containers run in pods
kube-proxy — Network rules & load balancing
Container Runtime — containerd / CRI-O
Pods — Smallest deployable units
CoreDNS — Cluster DNS resolution

⌨️ Essential kubectl Commands

get
List resources
(pods, svc, nodes)
describe
Detailed info
& events
logs
View container
output
exec -it
Shell into
a container
apply -f
Apply YAML
config
scale
Scale replicas
up or down
create
Create resource
imperatively
delete
Remove
resources

🔌 4 Kubernetes Service Types

ClusterIP
Internal only
(default type)
NodePort
Static port on
each node IP
LoadBalancer
Cloud LB
(production)
ExternalName
Maps to
DNS CNAME

💡 CKA Exam Tips

1
It’s 100% Hands-On — Practice kubectl Daily
Unlike multiple-choice exams, CKA is performance-based — you solve real problems in live Kubernetes clusters. Practice with minikube, kind, or killer.sh (the CKA simulator). Speed matters — you have about 7 minutes per task. Use imperative commands (kubectl run, kubectl create) for speed, and kubectl explain for YAML reference.
2
Troubleshooting = 30% of the Exam
Master the troubleshooting workflow: kubectl getkubectl describekubectl logskubectl exec. Know how to fix NotReady nodes (kubelet issues), CrashLoopBackOff pods (application errors), Pending pods (scheduling problems), and ImagePullBackOff (wrong image name or registry auth).
3
Use the Official Documentation During the Exam
You are allowed to access kubernetes.io/docs during the CKA exam! Bookmark key pages beforehand: RBAC, NetworkPolicies, PV/PVC, etcd backup/restore, kubeadm upgrade, and scheduling (taints, tolerations, nodeSelector). Practice navigating the docs quickly — it’s a huge time advantage.

 

🎯 Keep Practicing — More MCQs Available!

We update our question bank regularly to match the latest CNCF exam objectives

 Frequently Asked Questions

How hard is the CKA exam?

The CKA is considered a challenging exam. It has 15-20 performance-based tasks completed in a live Kubernetes cluster with a 2-hour time limit. The passing score is 66%. Because it’s hands-on (no multiple choice), you must actually solve problems — there’s no guessing. Most candidates with 3-6 months of Kubernetes experience need 4-8 weeks of dedicated preparation. The exam includes one free retake.

How much does the CKA exam cost?

The CKA exam costs $395 USD and includes one free retake within 12 months. It also includes a killer.sh exam simulator session (2 attempts). The exam is delivered online and proctored through PSI. CNCF frequently offers discounts during KubeCon events and holidays — wait for a 30-50% discount if your timeline allows.

Does the CKA certification expire?

Yes — the CKA certification is valid for 3 years (changed from 2 years in 2023). To renew, you must retake the current version of the exam. The Kubernetes version tested is updated regularly to stay current. CKA-certified professionals earn an average salary of $120,000-$160,000 in the US, making it one of the highest-paying DevOps certifications.

CKA vs CKAD — which should I take first?

CKA (Administrator) focuses on cluster management — installation, configuration, networking, storage, security, and troubleshooting. CKAD (Application Developer) focuses on building, deploying, and debugging containerized applications. If you manage clusters → CKA first. If you deploy apps on Kubernetes → CKAD first. There is ~40% content overlap, so earning one makes the other easier.

Certified Kubernetes Administrator CKA MCQs with Answers-infographic-mcqstop

You may also like

About the author

MCQS TOP

View all posts

Leave a Comment