Practice 10 CKAD-style Kubernetes scenarios with instant explanations.
This free CKAD Practice Exam 3 focuses on application configuration, rollouts, probes, services, security context, resources, init containers, volumes, network policies, and Jobs. Each question has four options plus a clear explanation of why the correct answer is right and why the other options are wrong.
Start the free practice exam below. Select one answer for each question. Your score updates as you go, and the explanation appears immediately after each answer.
You need to create a Pod that reads the environment variable APP_MODE from a ConfigMap named app-settings. Which approach is correct?
Correct answer: B
Why this is right: envFrom with configMapRef imports all key-value pairs from a ConfigMap as environment variables in the container. If the ConfigMap has APP_MODE=production, the container receives APP_MODE automatically.
Why the other options are incorrect:
- B: A ConfigMap is not a Secret, and mounting it as a volume creates files, not environment variables unless the app reads those files.
- C: imagePullSecrets is only for authenticating to private image registries. It does not inject application configuration.
- D: metadata.labels are Kubernetes object labels. They do not become container environment variables.
A Deployment named api is running image repo/api:v1. You update it to repo/api:v2, but the new version fails readiness checks. What is the best immediate recovery command?
Correct answer: C
Why this is right: kubectl rollout undo returns the Deployment to the previous ReplicaSet revision, which is the safest immediate rollback when a new rollout fails.
Why the other options are incorrect:
- B: Deleting the Deployment removes the workload and can cause downtime unless another controller recreates it.
- C: Scaling to zero stops traffic completely and does not restore the previous working version.
- D: Exposing the Deployment changes networking, not the broken application version.
A container takes 40 seconds to start accepting traffic on /ready. Which probe configuration best prevents traffic from reaching it too early?
Correct answer: D
Why this is right: A readinessProbe tells Kubernetes whether the Pod should receive Service traffic. initialDelaySeconds gives the application time to start before readiness checks begin.
Why the other options are incorrect:
- B: A livenessProbe restarts unhealthy containers. It does not directly decide whether the Pod is added to Service endpoints.
- C: startupProbe helps slow-starting containers avoid premature liveness failures, but readiness is still the correct signal for traffic routing.
- D: Multiple replicas reduce risk but do not guarantee an individual Pod is ready before it receives traffic.
A Service has port: 80 and targetPort: 8080. What does targetPort mean?
Correct answer: B
Why this is right: targetPort is the destination port on the selected Pods. In this case, clients hit the Service on port 80, and Kubernetes forwards traffic to port 8080 on the Pods.
Why the other options are incorrect:
- B: That describes nodePort in a NodePort Service, not targetPort.
- C: kubectl talks to the Kubernetes API server separately; Service targetPort is application networking.
- D: Container registry access is unrelated to Kubernetes Service routing.
A CKAD task asks you to run a container as a non-root user with UID 1000. Which field should you use?
Correct answer: A
Why this is right: securityContext.runAsUser sets the Linux user ID used to run the container process. UID 1000 is a common non-root user ID.
Why the other options are incorrect:
- B: resources.requests is for CPU and memory scheduling, not Linux users.
- C: serviceAccountName controls Kubernetes API identity, not the Linux user inside the container.
- D: imagePullPolicy controls when images are pulled. NonRoot is not a valid imagePullPolicy value.
A Pod is frequently evicted during node memory pressure. Which configuration helps Kubernetes schedule it more predictably?
Correct answer: C
Why this is right: Memory requests help the scheduler place Pods on nodes with enough capacity, and limits protect the node from one container consuming too much memory.
Why the other options are incorrect:
- B: restartPolicy affects container restart behavior, not scheduling capacity or eviction priority.
- C: Removing probes hides health information and does not solve memory pressure.
- D: Service type affects traffic exposure, not Pod memory usage or scheduling.
Your app container must not start until a configuration file is generated in a shared volume. Which Kubernetes feature is best?
Correct answer: D
Why this is right: initContainers run to completion before regular app containers start. An emptyDir volume can be shared so the initContainer writes a file and the app container reads it.
Why the other options are incorrect:
- B: Probes check health; they should not be used to create required startup files.
- C: A Service provides stable networking to Pods. It does not generate files.
- D: NetworkPolicy controls allowed network traffic. It does not mount or create files.
A sidecar container writes logs to /var/log/app and the main container must read the same files. What volume type is appropriate for temporary shared storage?
Correct answer: A
Why this is right: emptyDir is created for the lifetime of a Pod and can be mounted by multiple containers in that Pod, making it useful for temporary shared files.
Why the other options are incorrect:
- B: hostPath ties the Pod to node filesystem details and mounting it only into the sidecar means the main container cannot read it.
- C: ConfigMaps are for configuration data, not runtime log files generated by containers.
- D: Secrets are for sensitive values, not normal temporary log sharing.
Only Pods with label role=frontend should connect to Pods with label app=api on TCP port 8080. Which object is designed for this requirement?
Correct answer: B
Why this is right: NetworkPolicy controls allowed network traffic between Pods. You select the destination Pods and define ingress rules that allow traffic from specific source labels and ports.
Why the other options are incorrect:
- B: ServiceAccounts provide identity for API access, not Pod-to-Pod traffic rules.
- C: Ingress manages external HTTP routing into the cluster, not internal Pod label-based traffic control.
- D: PodDisruptionBudget protects availability during voluntary disruptions. It does not control network access.
You need to run a database migration once and stop after it completes successfully. Which workload is most appropriate?
Correct answer: C
Why this is right: A Job runs Pods to completion and tracks successful completion count. It is the right controller for one-time tasks like migrations or batch work.
Why the other options are incorrect:
- B: A Deployment keeps long-running Pods available and restarts them if they exit, which is not ideal for a one-time migration.
- C: A DaemonSet runs one Pod on selected nodes, commonly for agents, not one-time application tasks.
- D: HorizontalPodAutoscaler scales an existing workload based on metrics. It does not run a task by itself.
What this CKAD Exam 3 covers
- ConfigMaps, Secrets, and environment variables
- Deployments, rollbacks, probes, and Services
- Security context, resource limits, and scheduling behavior
- Init containers, shared volumes, NetworkPolicies, and Jobs
Next steps after this mock test
Practice every missed topic with kubectl and YAML. CKAD rewards fast, accurate hands-on work, so use each explanation as a small lab target.
FAQ
Is CKAD Practice Exam 3 free?
Yes. This mock test is free to use and can be retaken anytime.
Are these questions useful for CKAD preparation?
Yes. The questions focus on application-level Kubernetes tasks and concepts that match CKAD-style preparation.
Should I memorize these answers?
No. Use the explanations to understand the Kubernetes behavior, then practice similar tasks in a cluster.