CKA Exam Prep Free practice test →

Free CKA Practice Questions

10 free, exam-style Certified Kubernetes Administrator (CKA) (CKA) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CKA practice test to study every exam domain.

These 10 free CKA questions are organized by exam domain, so you can see how each part of the Certified Kubernetes Administrator (CKA) blueprint is tested. Reveal the answer and explanation under each question.

Domain 1: Cluster Architecture, Installation & Configuration 25% of exam

Question 1

A ClusterIP Service named `frontend` is running, but requests to it time out. You run `kubectl get endpoints frontend` and the output shows `<none>` under ENDPOINTS. What is the MOST likely cause?

  1. The Service's `targetPort` is set higher than 30000
  2. kube-proxy has crashed on every node in the cluster
  3. The Service's label selector does not match any Pod's labels
  4. CoreDNS cannot resolve the Service's fully qualified domain name
Show answer & explanation

Correct answer: C - The Service's label selector does not match any Pod's labels

Question 2

On a kubeadm-built cluster, the API server is down and `kubectl` returns 'connection refused' on port 6443. Where should you look FIRST to diagnose and fix the kube-apiserver?

  1. The kube-apiserver static Pod manifest in /etc/kubernetes/manifests/
  2. The `kube-apiserver` Deployment in the kube-system namespace, then scale it
  3. The kubelet configuration file at /var/lib/kubelet/config.yaml on the node
  4. The API server logs via `kubectl logs -n kube-system kube-apiserver`
Show answer & explanation

Correct answer: A - The kube-apiserver static Pod manifest in /etc/kubernetes/manifests/

Question 3

A Pod is in `CrashLoopBackOff`. The container starts, runs briefly, then exits and restarts repeatedly. Which command will show you the application output from the container's PREVIOUS (already-crashed) instance?

  1. kubectl describe pod <pod>
  2. kubectl logs <pod> --previous
  3. kubectl get events --field-selector reason=BackOff
  4. kubectl logs <pod> --follow
Show answer & explanation

Correct answer: B - kubectl logs <pod> --previous

Question 4

A worker node shows `NotReady`. You have SSH access to the node. Which is the MOST direct first step to find out why the kubelet is unhealthy?

  1. Run `kubectl describe node` and recreate the failed Pods on another node
  2. Restart containerd and reboot the node entirely to clear any stale state
  3. Delete the node object with `kubectl delete node` and let it re-register
  4. Check `systemctl status kubelet` and `journalctl -u kubelet` on the node
Show answer & explanation

Correct answer: D - Check `systemctl status kubelet` and `journalctl -u kubelet` on the node

Question 5

A Pod has been stuck in `Pending` for several minutes and never schedules onto any node. Which of the following is LEAST likely to be the cause?

  1. Every available node carries a taint that the Pod does not tolerate
  2. The Pod requests more CPU or memory than any single node can currently provide
  3. The Pod's PersistentVolumeClaim has not yet bound to any PersistentVolume in the cluster
  4. The container image specified in the Pod cannot be pulled from the registry
Show answer & explanation

Correct answer: D - The container image specified in the Pod cannot be pulled from the registry

Question 6

Cluster-wide DNS resolution is failing - Pods cannot resolve Service names. CoreDNS runs as a Deployment in the kube-system namespace. Which check is the MOST relevant starting point?

  1. Confirm the CoreDNS Pods are Running and that the kube-dns Service has populated endpoints
  2. Increase the cluster's NodePort range so DNS query traffic is allowed to egress
  3. Re-issue the API server certificate so that kubelets can reach CoreDNS again
  4. Add a static `hostAliases` entry to every Pod that needs to resolve names
Show answer & explanation

Correct answer: A - Confirm the CoreDNS Pods are Running and that the kube-dns Service has populated endpoints

Domain 2: Workloads & Scheduling 15% of exam

Question 7

You are upgrading a worker node with kubeadm. After upgrading the kubeadm binary and running `kubeadm upgrade node`, what must you do IMMEDIATELY BEFORE upgrading and restarting the kubelet?

  1. Run `kubeadm upgrade apply` a second time to confirm the version
  2. Drain the node with `kubectl drain <node> --ignore-daemonsets`
  3. Delete the node object so the control plane re-admits it
  4. Restart the containerd runtime to clear the old kubelet socket
Show answer & explanation

Correct answer: B - Drain the node with `kubectl drain <node> --ignore-daemonsets`

Question 8

You need to take an etcd snapshot on a stacked-etcd control-plane node using `etcdctl` with API v3. Besides `--endpoints`, which set of flags is REQUIRED to authenticate to etcd?

  1. --username and --password for the configured etcd root account
  2. --token taken from the current kubeadm bootstrap token list
  3. --cacert, --cert, and --key pointing to the etcd PKI files
  4. --kubeconfig pointing at /etc/kubernetes/admin.conf for auth
Show answer & explanation

Correct answer: C - --cacert, --cert, and --key pointing to the etcd PKI files

Question 9

A RoleBinding in the `dev` namespace references a ClusterRole that grants read access to Secrets. What is the effect of this binding?

  1. It is rejected, because a RoleBinding cannot reference a ClusterRole
  2. The subject can read Secrets in every namespace in the cluster
  3. The subject can read Secrets only within the `dev` namespace
  4. The ClusterRole is automatically converted into a namespaced Role
Show answer & explanation

Correct answer: C - The subject can read Secrets only within the `dev` namespace

Question 10

A directory contains a `kustomization.yaml` alongside several manifest files. Which command correctly builds and applies the kustomization to the cluster?

  1. kubectl apply -k <directory>
  2. kubectl apply -f kustomization.yaml
  3. kubectl create -k kustomization.yaml
  4. kubectl kustomize apply <directory>
Show answer & explanation

Correct answer: A - kubectl apply -k <directory>

The rest of the CKA blueprint

The CKA exam also covers these domains. Drill them in the full free practice test:

Ready for the real thing?

Practice hundreds more CKA questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing