Browse Linux Foundation and CNCF Guides

Linux Foundation KCNA Sample Questions with Explanations

April 25, 2026

Linux Foundation KCNA sample questions with explanations, traps, topic labels, and IT Mastery route links.

On this page

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for Kubernetes and Cloud Native Associate (KCNA) topics such as pods, deployments, services, controllers, namespaces, RBAC, observability, scheduling, container images, and cloud-native architecture. The prompts focus on object relationships and operational symptoms.

Where these questions fit in the KCNA guide

The sample set below is part of the Linux Foundation / CNCF KCNA guide path:

KCNA cloud-native sample questions

Work through each prompt before opening the explanation. KCNA questions reward understanding desired state, controllers, selectors, network paths, and security boundaries.

Question 1

Topic: Deployment desired state

A Kubernetes Deployment specifies three replicas. One worker node fails, and one pod becomes unavailable. What is the Deployment controller responsible for doing?

  • A. Changing the container image automatically to a smaller image.
  • B. Reconciling the desired state by creating or scheduling replacement pods when possible.
  • C. Deleting the Service because one pod is unavailable.
  • D. Converting the Deployment into a StatefulSet so pods keep stable identities.

Best answer: B

Explanation: Kubernetes controllers reconcile desired state. A Deployment controller works to maintain the requested replica count by creating replacement pods when the cluster can schedule them.

Why the other choices are weaker:

  • A is not automatic controller behavior.
  • C confuses workload availability with Service lifecycle.
  • D changes workload type and is not a controller repair action.

What this tests: Desired state, reconciliation, replicas, and Deployment controller responsibility.

Related topics: Deployments; Controllers; Desired state; Replicas

Question 2

Topic: Service selector mismatch

A Service has a stable cluster IP, but requests to it fail. The pods are running and ready. The Service selector uses app: api, while the pods are labeled app: backend. What is the most likely issue?

  • A. The pods must be converted to static pods.
  • B. The cluster IP must be manually copied into every pod.
  • C. The Service has no matching endpoints because its selector does not match the pod labels.
  • D. The container image tag is too long for Kubernetes networking.

Best answer: C

Explanation: A Service routes to pods selected by labels. If the selector and pod labels do not match, the Service has no endpoints even though the pods themselves are healthy.

Why the other choices are weaker:

  • A does not address Service-to-pod selection.
  • B misunderstands Service discovery.
  • D is unrelated to endpoint selection.

What this tests: Services, selectors, labels, endpoints, and network troubleshooting.

Related topics: Services; Selectors; Labels; Endpoints

Question 3

Topic: Least privilege in a namespace

A developer needs to view pods and logs in the staging namespace, but should not delete resources or access production. Which access-control approach is strongest?

  • A. Grant cluster-admin so the developer can troubleshoot without blockers.
  • B. Put production and staging workloads into the same namespace to simplify access.
  • C. Store the admin kubeconfig in a shared chat channel and ask developers to be careful.
  • D. Create a namespace-scoped Role with read permissions for the needed resources and bind it to the developer.

Best answer: D

Explanation: RBAC should be scoped to the namespace and verbs needed. Read-only staging access satisfies troubleshooting without granting production or destructive permissions.

Why the other choices are weaker:

  • A violates least privilege.
  • B removes a useful isolation boundary.
  • C exposes administrative credentials.

What this tests: Kubernetes RBAC, namespace scope, least privilege, and safe troubleshooting access.

Related topics: RBAC; Namespaces; Least privilege; Logs

Question 4

Topic: Readiness versus liveness

A pod starts successfully, but it should not receive traffic until it has loaded configuration and connected to a dependency. Which Kubernetes mechanism best controls whether the pod is added to Service endpoints?

  • A. A liveness probe only.
  • B. A container image digest.
  • C. A readiness probe.
  • D. A PersistentVolume reclaim policy.

Best answer: C

Explanation: Readiness indicates whether a pod is ready to receive traffic. If readiness fails, the pod can keep running while being removed from Service endpoints.

Why the other choices are weaker:

  • A restarts unhealthy containers but does not directly express traffic readiness.
  • B identifies image content, not runtime traffic eligibility.
  • D controls storage cleanup behavior, not Service routing.

What this tests: Health probes and how Kubernetes decides whether a pod should receive traffic.

Related topics: Readiness probes; Liveness probes; Service endpoints; Operations

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by the Linux Foundation, CNCF, or any certification body.

Revised on Sunday, May 10, 2026
Study Plan
FAQ