Kubernetes and Cloud Native Associate (KCNA) #9: Full-Length Practice Exam — 50 Questions with Explanations

19 min read

This is the checkpoint that verifies whether the concepts laid out from #1 through #8 have actually settled into your head. You work through 50 questions matching the domain weights of the real KCNA. This is the final post of the series.

The real KCNA exam is 60 questions, but this mock is scored over 50 questions. The passing line is the same 75%, so 38 correct out of 50 puts you in passing territory.

How to take it #

  • Work through it in 60–75 minutes (the real exam is 60 questions in 90 minutes; this mock is sized for 50)
  • Answer one question at a time without peeking at the explanation; grade everything at the end
  • 38+ correct (75%) puts you in passing territory
  • If a domain stands out as weak, loop back to that post and review

Domain distribution #

DomainQuestionsRange
Domain 1: Kubernetes Fundamentals (46%)23Q1 – Q23
Domain 2: Container Orchestration (22%)11Q24 – Q34
Domain 3: Cloud Native Architecture (16%)8Q35 – Q42
Domain 4: Cloud Native Observability (8%)4Q43 – Q46
Domain 5: Cloud Native Application Delivery (8%)4Q47 – Q50

Domain 1: Kubernetes Fundamentals #

Q1. Which component on the control plane stores all cluster state (both desired state and current state)?
Q2. Which is the single entry point that every request interacting with the cluster passes through, and the only component that accesses etcd?
Q3. Which control plane component decides which worker node a newly created Pod runs on?
Q4. Which agent on a worker node receives the PodSpec from the control plane and makes sure the containers stay running as specified?
Q5. What is the smallest deployable and manageable execution unit in Kubernetes?
Q6. When two or more containers sit together inside a single Pod, what do they share? (Choose TWO)
Q7. Which resource guarantees that a specified number of identical Pod replicas is always kept running?
Q8. Compared with a ReplicaSet, what is the key extra capability a Deployment provides?
Q9. Which resource fits a workload that needs stable network identifiers and ordered, persistent storage, like a database?
Q10. Which resource do you use to run exactly one Pod replica on every (or a specific set of) node in the cluster?
Q11. Which resource do you use to automatically run a batch job at a fixed time once a day?
Q12. Which resource gives a group of Pods a stable single virtual IP and DNS name and load-balances traffic into the group?
Q13. What is the default Service type that is reachable only from inside the cluster?
Q14. Which Service type automatically provisions an external load balancer in a cloud environment so the Service is reachable from the internet?
Q15. Which L7 resource routes external HTTP/HTTPS traffic to multiple Services based on host and path rules?
Q16. Which resource stores configuration values (environment variables, config files) in plain text, decoupled from the container image?
Q17. Which of the following correctly describes the most important difference between a ConfigMap and a Secret?
Q18. Which resource logically separates a single physical cluster by team or project and prevents name collisions?
Q19. Which statement most accurately describes Kubernetes’ operating model?
Q20. Which key-value metadata does a Service use to pick the set of Pods to send traffic to, and a Deployment use to decide which Pods to manage?
Q21. Which probe determines whether a container is ready to receive traffic and removes it from the Service endpoints if it is not ready?
Q22. What action does the kubelet take when a liveness probe fails repeatedly?
Q23. What is the standard kubectl command that applies a declaratively written manifest file to the cluster to bring it to the desired state?

Domain 2: Container Orchestration #

Q24. Which contract is the standard interface between the kubelet and the container runtime, letting it communicate the same way regardless of which runtime is used?
Q25. Which plugin standard assigns IPs to Pods and configures network connectivity between Pods?
Q26. Which standard interface connects external storage systems to Kubernetes to provision and mount volumes?
Q27. Which of the following are CRI-compatible container runtimes commonly used in Kubernetes? (Choose TWO)
Q28. Which standard defines the industry standards for container image format and runtime behavior, making images compatible across multiple tools?
Q29. Which Kubernetes authorization model controls “who can perform which action on which resource” on a role basis?
Q30. Which resource defines rules that allow or block network traffic between Pods?
Q31. Which field specifies container- and Pod-level security settings, such as running a container as a non-root user or blocking privilege escalation?
Q32. Which pair correctly matches the actual storage resource an admin provisions in advance with the resource a user uses to request a needed capacity and access mode?
Q33. What is the layer that handles service-to-service communication with mTLS encryption, traffic management, and observability without changing application code?
Q34. What is the name of the pattern in a Service Mesh where a proxy is deployed alongside each application Pod to intercept its traffic?

Domain 3: Cloud Native Architecture #

Q35. Which component automatically scales the number of a workload’s Pod replicas up or down based on a metric like CPU utilization?
Q36. Which component automatically adjusts an individual Pod’s CPU and memory requests and limits to match its usage pattern?
Q37. Which component adds nodes from the cloud when Pods end up Pending because there is not enough node capacity to schedule them?
Q38. Which cloud native execution model runs a function only when a request comes in and scales down to zero when idle to cut cost?
Q39. Which representative CNCF project provides serverless workloads and scale-to-zero on top of Kubernetes?
Q40. Which lists the CNCF project maturity levels correctly from lowest to highest?
Q41. Which of the following is hard to consider a core characteristic of cloud native architecture?
Q42. Which CNCF open-standard project standardizes how observability data (metrics, logs, traces) is generated and collected so you are not locked into a specific vendor?

Domain 4: Cloud Native Observability #

Q43. Which correctly groups the three pillars of observability?
Q44. Which monitoring tool, the most widely used in cloud native, collects and stores time-series metrics and queries them with PromQL?
Q45. Which observability data follows the full path of a request as it passes through multiple microservices, along with the latency of each segment, to find bottlenecks?
Q46. What is the practice of making resource usage visible and reducing waste to manage cost in a cloud native environment called?

Domain 5: Cloud Native Application Delivery #

Q47. Which operating approach uses a Git repository as the single source of the desired state and automatically syncs cluster state to match it?
Q48. Which of the following correctly groups the representative CNCF tools that implement GitOps? (Choose TWO)
Q49. In GitOps, what is the most appropriate reason operators go only through Git changes instead of making imperative changes to the cluster directly with kubectl?
Q50. What is the umbrella term for a pipeline that automatically builds and tests code changes and then automates deployment as well?

Scoring #

Total Score
Correct 0 / 0
Answered 0 / 0
Score rangeVerdictNext step
45+ (90%+)Very stable. Book the examTake the exam
38–44 (76–88%)Passing zone. One more loop on weak domainsRe-read weak-domain posts #2–#8
30–37 (60–74%)Not there yet. Focused study on weak domainsTwo weak domains plus another mock
29 or fewerNeed another full loopRe-read the entire series

Per-domain score analysis #

Count correct answers per domain to find your weak spots.

DomainQuestionsTarget (75%)Review if short
Domain 1 (Q1–Q23)2317+#2 , #3
Domain 2 (Q24–Q34)118+#4
Domain 3 (Q35–Q42)86+#5
Domain 4 (Q43–Q46)43+#6
Domain 5 (Q47–Q50)43+#7

Securing your score in Domain 1, the largest at 46%, is the key to passing. Domain 1 and Domain 2 together make up 68% of the total, so if these two are shaky, clearing the passing score with the other three domains alone is difficult.

If you cleared the passing line #

  • If you got 38 or more correct, you are in passing territory. Go book the exam (Linux Foundation training portal)
  • Right before you sit, skim the exam tips and frequently missed patterns in #8 one last time
  • Pick an exam date within the next 1–2 weeks while study momentum is still high
  • Finish the online-proctored (PSI) environment check the day before the exam

If you didn’t clear the passing line #

  • Look at the per-domain score and start re-organizing from the weakest domain
  • Re-read that post in the series, focusing on the tables, mappings, and trap sections
  • Try other question patterns from the official KCNA study materials provided by CNCF
  • Retake this mock about a week later to check your progress

Series wrap-up #

All nine posts of the KCNA series are done. Here is what this series built:

  • #1 — Exam structure and study strategy
  • #2 — Domain 1 architecture and core resources
  • #3 — Domain 1 API, containers, scheduling
  • #4 — Domain 2 runtime, security, networking, storage, Service Mesh
  • #5 — Domain 3 autoscaling, serverless, community, open standards
  • #6 — Domain 4 telemetry, Prometheus, cost management
  • #7 — Domain 5 GitOps, CI/CD
  • #8 — Exam tips and frequently missed patterns
  • #9 — 50-question mock exam ← This post

If the 26-post K8s practical track built the hands-on feel of working with minikube and kubectl, this series layered on the vocabulary that turns that feel into multiple-choice exam answers. After passing KCNA, the next step is the hands-on CKAD (app developer) and CKA (cluster administrator) certifications where you work the cluster directly from the terminal — each will be organized into its own standalone series.

Good luck with the exam.

X