Free CKAD Questions for Linux Foundation Certified Kubernetes Application Developer CKAD Exam as PDF & Practice Test Engine

  • Exam Code/Number: CKAD
  • Exam Name/Title: Linux Foundation Certified Kubernetes Application Developer Exam
  • Certification Provider: Linux Foundation
  • Corresponding Certification: Kubernetes Application Developer
  • Exam Questions: 239
  • Updated On: Jul 12, 2026
Context
You are asked to scale an existing application and expose it within your infrastructure.

First, update the Deployment nginx-deployment in the prod
namespace :
. to run 2 replicas of the Pod
. add the following label to the Pod :
role: webFrontEnd
Next, create a NodePort Service named rover in the prod namespace exposing the nginx-deployment Deployment 's Pods See the Explanation below for complete solution.
Correct Answer:
Below is an exam-style, step-by-step solution (commands + verification). Follow exactly on host ckad000.
0) Connect to the right host
ssh ckad000
(Optional but good sanity check)
kubectl config current-context
kubectl get ns
1) Inspect the existing Deployment (to know its labels/ports)
kubectl -n prod get deploy nginx-deployment
kubectl -n prod get deploy nginx-deployment -o wide
Check what labels the Pod template already has (important for the Service selector):
kubectl -n prod get deploy nginx-deployment -o jsonpath='{.spec.template.metadata.labels}{"\n"}' Check container ports (so we expose the correct targetPort):
kubectl -n prod get deploy nginx-deployment -o jsonpath='{.spec.template.spec.containers[0].ports}{"\n"}' If ports output is empty, it's still often nginx on 80, but the safest is to confirm by describing a pod later.
2) Update Deployment to 2 replicas
Fastest:
kubectl -n prod scale deploy nginx-deployment --replicas=2
Verify:
kubectl -n prod get deploy nginx-deployment
3) Add label role=webFrontEnd to the Pod (Pod template label)
You must add it under:
spec.template.metadata.labels
Use a patch (quick + safe):
kubectl -n prod patch deploy nginx-deployment \
-p '{"spec":{"template":{"metadata":{"labels":{"role":"webFrontEnd"}}}}}' Verify the Deployment template now includes it:
kubectl -n prod get deploy nginx-deployment -o jsonpath='{.spec.template.metadata.labels}{"\n"}' Now verify the running Pods have the label (important!):
kubectl -n prod get pods --show-labels
If the label doesn't show on pods immediately, wait for rollout:
kubectl -n prod rollout status deploy nginx-deployment
kubectl -n prod get pods --show-labels
4) Create a NodePort Service rover exposing the Deployment's Pods
4.1 Get a reliable target port
Try to read containerPort:
kubectl -n prod get deploy nginx-deployment -o jsonpath='{.spec.template.spec.containers[0].ports[0].
containerPort}{"\n"}'
* If this prints a number (commonly 80), use it as --target-port.
* If it prints nothing/empty, check a pod:
POD=$(kubectl -n prod get pod -l role=webFrontEnd -o jsonpath='{.items[0].metadata.name}') kubectl -n prod describe pod "$POD" | sed -n '/Containers:/,/Conditions:/p' | sed -n '/Ports:/,/Environment:/p' Assuming nginx is on 80 (most common), create the service:
kubectl -n prod expose deploy nginx-deployment \
--name=rover \
--type=NodePort \
--port=80 \
--target-port=80
If your nginx container port is different (e.g., 8080), change --target-port=8080 accordingly.
5) Verify Service + endpoints (critical)
kubectl -n prod get svc rover -o wide
kubectl -n prod describe svc rover
kubectl -n prod get endpoints rover -o wide
You should see 2 endpoints (matching 2 pods).
Also confirm the pods are Ready:
kubectl -n prod get pods -l role=webFrontEnd -o wide
Quick "CKAD checkpoints"
* Deployment in prod has replicas=2
* Pod template has label role=webFrontEnd
* Service rover in prod is NodePort
* Service endpoints point to the nginx pods
You have a microservices application where you need to route traffic to different versions of a service based on the 'version' header in the incoming request. For example, if the header is set to 'VI' , the request should be routed to the 'VI' version Of the service, and if it's 'v? , it should be routed to the 'v? version. Design and implement an Ambassador pattern in Kubernetes to achieve this dynamic routing.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create Ambassador Service and Deployment:
- Define an Ambassador service and deployment using the Ambassador chart
- The chart can be found at: https:ngithub.com/datawire/ambassador
- IJpdate the chart to include the Ambassador configuration for dynamic routing based on the 'version' header

2. Configure Ambassador for Header-Based Routing: - Update the Ambassador YAML configuration to define a mapping that uses the 'version' header for routing. - This configuration will specify the mapping from the header value to the corresponding service endpoint.

3. Deploy the Ambassador Configuration: - Create a ConfigMap or Secret in Kubernetes to store the Ambassador configuration- - Then, apply this configuration to your Ambassador deployment. 4. Create the Service Versions: - You need to have separate deployments and services for each version of your application. - Each version will have a unique service name to be referenced in the Ambassador configuration.

5. Test the Routing: - Send requests to the Ambassador service with different 'Version' headers. - Observe the traffic being routed correctly to the corresponding version of the service. bash curl -H 'Version: VI" http://ambassador-service-ip:8080/ curl -H 'Version: v2" http://ambassador-service-ip:8080/ This will route requests to the appropriate service version based on the 'Version' header.,
You have a Deployment named 'bookstore-deployment which deploys a Bookstore application, utilizing a PostgreSQL database. The deployment has 3 replicas. The database server is managed externally. The application is built With a feature to dynamically resize its replica count based on the load- You need to implement a strategy to automatically adjust the replica count to between 2 and 5, based on the CPU utilization of the pods. This should happen without manual intervention.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Horizontal Pod Autoscaler (HPA):
- use the 'kubectl create hpa' command to create an HPA named 'bookstore-hpa'
- Set the 'minRepIicas' to 2 and 'maxRepIic.as' to 5, defining the desired range of replicas.
- Set the 'targetCPlJLJtilizationPercentage' to 70, meaning the replica count will adjust when the average CPU utilization ot the pods crosses 70%.
- Specify the selector to match the 'bookstore-deployment' pods.

2. Apply the HPA: - Run 'kubectl apply -f bookstore-hpa.yamr to create the HPA. 3. Verify the HPA: - Check the status of the HPA using 'kubectl get hpa bookstore-hpa' 4. Observe Replica Adjustment: - Increase the load on the bookstore application to trigger the HPA scaling. - Monitor the replica count of the bookstore-deployment' using 'kL1bectl get deployments bookstore-deployment. You will observe the replica count automatically adjusting based on the CPL] utilization- 5. Customize Scaling Parameters: - You can customize the 'targetCPLJlJtilizationPercentage', 'minReplicas', and 'maxReplicaS in the HPA definition based on the application requirements and desired benavior.
You have a Kubernetes cluster With several deployments using secrets for sensitive information. You need to implement a mechanism to ensure that these secrets are rotated regularly to enhance security. Explain how you can achieve this using Kubernetes native features, and provide a detailed example demonstrating the process of secret rotation for a deployment called "myapp" which utilizes a secret named "myapp-secret".
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Secret Rotation Job:
- Define a CronJob:
- This job will be scheduled to run periodically to trigger the secret rotation process.
- In the CronJob definition, specify the desired schedule (e.g., daily, weekly, monthly) using a cron expression.

2. Update Deployment to Use New Secret: - Modify the Deployment Configuration: - Update the Deployment YAML tile of "myapp" to utilize the newly generated secret. - Replace the old secret name with the new secret name.

3. Apply the Changes: - Run the Update Commands: - Apply the CronJ0b definition using kubectl apply -f myapp-secret-rotator.yamr - Apply the updated Deployment configuration using 'kubectl apply -f myapp-deployment.yamr. 4. Verification: - Monitor tne CronJob and Deployment: - Use ' kubectl get cronjobs myapp-secret-rotator' to confirm the CronJob is running and triggering the rotation. - Monitor the 'myapp' Deployment to ensure the pods are utilizing the newly generated secret using 'kubectl get pods -l app=myapp' - Observe the output of the Deployment to verifry the rotation is successful. Key Points: - Secret Rotation Logic: The CronJob runs a script that deletes the old secret ( ' myapp-secret) and creates a new secret with updated credentials. - Deployment Update: The Deployment is updated to use tne new secret, ensuring tne application uses the latest credentials. - Automated Process: This approach automates the secret rotation process, eliminating manual intervention and enhancing security. This example demonstrates how to implement automated secret rotation for deployments using Kubernetes. You can modify the script in the CronJob and the deployment configuration to suit your specific environment and credential management needs. ,
You have a Deployment named 'wordpress-deployment' that runs 3 replicas of a WordPress container. You want to ensure that the deployment is always updated with the latest image available in the 'wordpress/wordpress:latest' Docker Hub repository However, you need to implement a rolling update strategy that allows for a maximum ot two pods to be unavailable during the update process.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. IJpdate the Deployment YAML:
- Update the 'replicas to 3-
- Define 'maxunavailable: 2 and 'maxSurge: in the 'strategy.rollingupdate' section.
- Configure a 'strategy-type' to 'RollinglJpdate' to trigger a rolling update when the deployment is updated.
- Add a 'spec-template-spec-imagePullPolicy: Always' to ensure that the new image is pulled even if it exists in the pod's local cache.

2. Create the Deployment: - Apply the updated YAML file using 'kubectl apply -f wordpress-deployment.yamr 3. Verify the Deployment: - Check tne status of the deployment using 'kubectl get deployments wordpress-deployment' to confirm the rollout and updated replica count. 4. Trigger the Automatic Update: - Push a new image to the 'wordpress/wordpress:latest Docker Hub repository. 5. Monitor the Deployment: - Use 'kubectl get pods -I app=wordpress' to monitor the pod updates during the rolling update process. You will observe that two pods are terminated at a time, while two new pods with the updated image are created. 6. Check for Successful Update: - Once the deployment is complete, use 'kubectl describe deployment wordpress-deployment' to see that the 'updatedReplicaS field matches the 'replicas' field, indicating a successful update.
You have a Kubernetes deployment named 'my-app' that runs an application with a specific configuration defined in a ConfigMap named 'my-config'. You need to implement a strategy to automatically update tne deployment wnen tne ConfigMap is changed.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a 'ConfigMap' named 'my-configs with the following contents:

2. Create a 'Deployment' named 'my-app' that mounts the 'my-config' ConfigMap as a volume:

3. Apply the ConfigMap and Deployment bash kubectl apply -f configmap.yaml kubectl apply -f deployment.yaml 4. Update the ConfigMap with new values:

5. Apply the updated ConfigMap: bash kubectl apply -f configmap.yaml - The 'kustomization.yamr file defines the resources (the 'deployment_yamr file) and the patches to apply. - The 'deployment_yamr file contains the base configuration for the deployment. - The patch.yamr tile applies a strategic merge patch to the deployment, configuring rolling updates and automatic updates triggered by new images. - The 'maxSurge' and 'maxunavailable' settings in the 'patch_yaml' define the maximum number of pods that can be added or removed during the update process. - The 'imagePullPolicy: Always' ensures that the new image is pulled from Docker Hub even if it exists in the pod's local cache, triggering the update.
You are tasked with deploying a complex application using Helm. The application consists of multiple microservices, each with its own deployment and service. To simplify the deployment and management of these microservices, you need to implement a mecnanism that allows you to automatically create and manage namespaces based on the name of the Helm release.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Custom Helm Chart:
- Begin by creating a custom Helm chart named 'my-app-chart' to manage the application's multiple microservices.
2. Implement a Namespace Creation Function:
- Within the 'my-app-chafltemplatesr directory, create a file named 'namespace-yamr and define the namespace creation function.

- This function uses the Helm release name to dynamically generate a namespace with the format '-namespace' 3. Add the Namespace to the Chan: - Modify the 'my-app-chart/templates/service.yamr and 'my-app-chart/templates/deployment_yamr for each microservice to ensure the deployments and services reside within the dynamically created namespace:

4. Deploy the Chart with Different Releases: - Use tne following command to deploy tne chart with different releases, each creating a separate namespace: bash nelm install release1 my-app-chart helm install release2 my-app-chart - This will create namespaces release1-namespace' and release2-namespace , each containing the deployments and services of the respective releases. 5. Manage and Clean Up: - To manage and clean up the deployments and namespaces, you can use regular Helm commands within the context or each namespace: bash kubectl --namespace release1 -namespace get pods helm delete release1 kubectl delete namespace release1-namespace - This approach provides a structured and automated method for managing multiple microservices within separate namespaces using Helm releases.,
You have a Deployment named 'my-app-deployment' that runs 3 replicas of a Spring Boot application. This application needs to access a PostgreSQL database hosted on your Kubernetes cluster. You need to create a Custom Resource Definition (CRD) to define a new resource called 'Database' to represent the PostgreSQL database instances within your cluster. This CRD should include fields for specifying the database name, username, password, and the host where the database is deployed. Further, you need to configure the 'my- app-deployment' to use the 'Database' resource to connect to the PostgreSQL instance dynamically.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define the CRD:
- Create a YAML file named 'database.crd.yaml' to define the "Database' resource:

2. the CRD: - Apply tre 'database.cre.yaml' using 'kubectl "ply -f database.crd.ya'mr 3. Create A Database Instance: - 'eate YAML file 'd:tabaseyarnl' to define a database instance

4. Apply the Database Instance: - Apply the 'database.yaml' using 'kubectl apply -f database.yamr 5. IJpdate the Deployment - Update the Amy-app-deployment.yaml' to use the 'Database' resource:

6. Apply the Updated Deployment: - Apply the updated 'my-app-deployment.yamr using 'kubectl apply -f my-app-deployment.yamr 7. Verify the Configuration: - Use 'kubectl get databases to check the database instance. - Use 'kubectl describe pod -l app=my-app' to verify that the pods are using the values from the 'Database' resource tor connecting to the PostgreSQL database. This approach demonstrates how to utilize CRDs to define custom resources in Kubernetes and how to connect applications dynamically to these resources. The CRO ensures proper definition of the database resource, while the deployment utilizes the 'fieldRef mechanism to access and retrieve database connection details directly from the CRD, enabling dynamic configuration and simplification of application setup.,
You have a Deployment named 'api-deployment' that runs an API server. The API server handles sensitive data and must have strong security measures. You want to ensure that all pods within the Deployment are running with a specific security context that limits their capabilities. Describe the steps to configure a Securitycontext in the Deployment to enforce these security restrictions.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define the SecurityContext:
- Add a 'securityContext' section to the container definition Within the Deployment's template.
- Define the desired security restrictions Within the 'securityContext sectiom
- 'runAsLJser': Specifies the user ID under which the container should run.
- 'runAsGroup': Defines the group ID for the container.
- 'tsGroup': Sets the supplemental group ID for the container, giving access to specific files and directories.
- 'readOnlyRootFilesystem': Specifies whether the container should have read-only access to the root filesystem.
- 'capabilities': Configures the allowed capabilities for the container, limiting its privileges.

2. Apply the Deployment: - Use 'kubectl apply -f api-deployment_yamr to update the Deployment with the security context configuration. 3. Verify the Security Context: - Examine the pod details using 'kubectl describe pod -I app=api-server' to confirm that the SecurityContext is applied to the containers. 4. Test Security Measures: - Run tests to ensure the security context is effectively limiting the capabilities of the API server pods.
You are developing a microservices application consisting of several deployments. One of the deployments, named 'order-service- deployments , is responsible for processing orders. Each order requires a specific backend service to process the order. You need to design a mechanism that automatically assigns an appropriate backend service to each order processing pod based on the order type. For example, orders for "books" should be assigned to the 'book-service' backend, while orders for "electronics" should be assigned to the 'electronics-service backend. Explain how you would implement this dynamic backend service assignment mechanism.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
This scenario requires a mecnanism to dynamically assign a backend service to each order processing pod based on the order type. Here's how you can implement this:
1. Label the Backend Services:
- Label the backend services based on the order type they handle. For instance:
- 'book-service': 'order.type=books'
- 'electronics-service: 'order.type=electronics'
2. I-Ise a ConfigMap:
- Create a ConfigMap named 'order-backend-mapping' that stores the mapping between order types and backend service labels.
- Use the ConfigMap to dynamically assign backend services based on the order type.

3. Modify the Order Service Deployment: - In the 'order-service-deployment , add an init container that retrieves the backend service mapping from the ConfigMap. - Use this mapping to determine the appropriate backend service for each order. - The init container can inject environment variables or modify the pod's annotations based on the mapping.

4. Update the Order Service: - Ensure the 'order-service' container is configured to use the environment variable set by the init container to access the correct backend service. 5. Deploy the Changes: - Apply the updated ConfigMap and Deployment using 'kubectl apply' 6. Test the Dynamic Assignment: - Create orders of different types and verity that the 'order-service' pods are automatically assigned the correct backend services. ,
You nave a microservice tnat iS constantly updated With new features and bug fixes. You want to deploy new versions of this service in a way that minimizes downtime and avoids disrupting the existing application. Explain how you can use Kubernetes features to achieve this goal.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Use a Deployment:
- Create a 'Deployment' object to manage your microservice.
- Specify the desired number of replicas and the container image.
- Use a 'rollinglJpdate' strategy to control the update process.

2. Control Rollout Pace: - Use the maxSurge' and 'maxlJnavailable' parameters to control the number of pods that can be unavailable or created during the update process. - For example, 'maxi-Inavailable: ensures that no pods are unavailable during tne update, while 'maxSurge: 1' allows for one extra pod to be created during the update. 3. Trigger Automatic Updates: - Use a 'Deployment's 'spec-template-spec-imagePullPolicy' to trigger updates automatically when a new image is available. - Set imagePullPolicy: Always' to force a pull of the image each time the deployment is updated. 4. Monitor Rollout Progress: - Use kubectl get pods -l app=my-microservice' to monitor the rollout progress. - You can also use tne 'kubectl rollout status deployment/my-microservice' command to get detailed information about the rollout. 5. Use Liveness and Readiness Probes: - Define liveness and readiness probes to ensure that containers are healthy and ready to serve traffic. - The 'Deployment' will automatically restart unhealthy containers, while readiness probes will ensure that new pods are only considered ready for traffic once they are healtny. 6. Traffic Routing: - Use a 'Service' to expose your 'Deployment' to external clients. - Configure the 'Service' to use a 'LoadBalancer' or 'NodePort' to make the service accessible from outside the cluster. Note: This approach ensures a smooth rollout with minimal downtime. New pods are created with the new image, and traffic is gradually shifted to the updated pods while the old pods are gracefully terminated. The liveness and readiness probes ensure that only healthy pods receive traffic, and the automatic updates triggered by 'imagePullPolicy: Always' keep the service up-to-date.
You are running a critical application in your Kubernetes cluster, and it requires access to sensitive information stored in a secret To ensure the application only accesses the specific data it needs and avoids potential misuse, you need to configure ServiceAccounts With proper permissions to access the secret. Describe the steps involved in creating a ServiceAccount with the least privilege principle to access the secret Additionally, mention the YAML configuration required for the ServiceAccount and Role.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Secret:
- Create a secret to store your sensitive data using 'kubectl create secret generic my-secret -from
- This command creates a secret named 'my-secret' with two key-value pairs: 'username' and 'password'
- Replace the values with your actual sensitive data.
2. Create a ServiceAccount
- Create a ServiceAccount using 'kubectl create serviceaccount my-service-account
- This command creates a ServiceAccount named 'my-service-account'
3. Create a Role:
- Create a Role to define the permissions for the ServiceAccount. This role will grant access to the secret.
- Create a Role named 'my-role' using the following YAML:

- Save this configuration in a file named 'my-role.yamr and apply it to your cluster using 'kubectl apply -f my-role-yamp - Replace 'default' With the namespace where your secret is created. 4. Bind the Role to the ServiceAccount: - Bind the created Role to the ServiceAccount using 'kubectl create rolebinding my-role-binding -role-my-role account'. - This command creates a RoleBinding named 'my-role-binding' which binds the 'my-role' to the 'my-service-account' in the 'default' namespace. - Replace 'default' With the namespace where your secret is created. 5. Verify Permissions: - You can verify the ServiceAccount's access to the secret using 'kubectl auth can-i get secrets -as-my-service-account --namespace=default' - This command should return 'yes' if the ServiceAccount has the necessary permissions. 6. Use the ServiceAccount in your Pod: - Use the ServiceAccount within your Pod's specification to grant the application access to the secret. - Add a 'serviceAccountNames field Within your Pod specification pointing to tne created ServiceAccount.

Now your application running in the Pod will have access to the secret 'my-secret using the environment variables defined in the 'envFror-n' section. The ServiceAccount 'my-service-account is configured with the least privilege principle, ensuring that it can only access the necessary data. ,
0
0
0
10