Pass the Linux Foundation Kubernetes and Cloud Native KCNA Questions and answers with ValidTests

https://github.com/cncf/landscape#trail-map

A picture containing timeline Description automatically generated

https://semver.org/

RegEx SemVer at https://regex101.com/r/vkijKf/1/

Kubernetes objects are RESTful objects.

https://kubernetes.io/docs/concepts/workloads/

Text Description automatically generated

https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

Text, letter Description automatically generated

https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Graphical user interface, text Description automatically generated with medium confidence

https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#trade-offs

To monitor rollout progress for Kubernetes workload updates (most commonly Deployments, and also StatefulSets and DaemonSets where applicable), the standard kubectl command is kubectl rollout status, which makes D correct.

Kubernetes manages updates declaratively through controllers. For a Deployment, an update typically creates a new ReplicaSet and gradually shifts replicas from the old to the new according to the strategy (e.g., RollingUpdate with maxUnavailable and maxSurge). For StatefulSets, updates may be ordered and respect stable identities, and for DaemonSets, an update replaces node-level Pods according to update strategy. In all cases, you often want a single command that tells you whether the controller has completed the update and whether the new replicas are available. kubectl rollout status queries the resource status and prints a progress view until completion or timeout.

The other commands listed are not the canonical kubectl subcommands. kubectl rollout watch, kubectl rollout progress, and kubectl rollout state are not standard rollout verbs in kubectl. The supported rollout verbs typically include status, history, undo, pause, and resume (depending on kubectl version and resource type).

Operationally, kubectl rollout status deployment/ is used during releases and troubleshooting to confirm that new Pods become ready, that old replicas scale down, and that the rollout does not stall due to readiness probe failures, insufficient resources, or policy constraints (e.g., PodDisruptionBudgets interacting with drains). It ties directly into Kubernetes’ self-healing and declarative update model: you declare a new desired Pod template, and controllers reconcile toward it while rollout status reports that reconciliation’s progress.

=========

cert-manager is a widely adopted Kubernetes add-on that automates the management and lifecycle of TLS certificates in cloud native environments. Its primary function is to issue, renew, and manage certificates by integrating directly with Kubernetes-native resources, rather than modifying core cluster components or injecting certificates manually into workloads.

Option A correctly describes how cert-manager operates. cert-manager introduces Custom Resource Definitions (CRDs) such as Certificate, Issuer, and ClusterIssuer. These resources define how certificates should be requested and from which certificate authority they should be obtained, such as Let’s Encrypt or a private PKI. Once a certificate is successfully issued, cert-manager stores it in a Kubernetes Secret. These Secrets can then be referenced by Ingress resources, Gateway API resources, or directly by applications to enable TLS.

Option B is incorrect because cert-manager does not replace or interfere with Kubernetes API server certificates. The Kubernetes control plane manages its own internal certificates independently, and cert-manager is focused on application-level TLS, not control plane security.

Option C is incorrect because cert-manager does not interact with kube-proxy or manage service-to-service encryption. Traffic encryption between Services is typically handled by service meshes or application-level TLS configurations, not cert-manager.

Option D is incorrect because cert-manager does not inject certificates directly into Pods at deployment time. Instead, Pods consume certificates indirectly by mounting the Secrets created and maintained by cert-manager. This design aligns with Kubernetes best practices by keeping certificate management decoupled from application deployment logic.

According to Kubernetes and cert-manager documentation, cert-manager’s strength lies in its native integration with Kubernetes APIs and declarative workflows. By managing Certificate resources and automatically maintaining Secrets for use by Ingress or Gateway resources, cert-manager simplifies TLS management, reduces operational overhead, and improves security across cloud native application delivery pipelines. This makes option A the accurate and fully verified answer.

The true statement is A: a Kubernetes CronJob creates Jobs on a repeating schedule. CronJob is a controller designed for time-based execution. You define a schedule using standard cron syntax (minute, hour, day-of-month, month, day-of-week), and when the schedule triggers, the CronJob controller creates a Job object. Then the Job controller creates one or more Pods to run the task to completion.

Option B is incorrect because CronJobs do not “create one container”; they create Jobs, and Jobs create Pods (which may contain one or multiple containers). Option C is wrong because CronJobs are a core Kubernetes workload primitive for recurring tasks and remain widely used for periodic work like backups, batch processing, and cleanup. Option D is wrong because Kubernetes CronJobs intentionally use cron-like scheduling expressions; the format aligns with the cron concept (with Kubernetes-specific controller behavior around missed runs, concurrency, and history).

CronJobs also provide operational controls you don’t get from plain Linux cron on a node:

concurrencyPolicy (Allow/Forbid/Replace) to manage overlapping runs

startingDeadlineSeconds to control how missed schedules are handled

history limits for successful/failed Jobs to avoid clutter

integration with Kubernetes RBAC, Secrets, ConfigMaps, and volumes for consistent runtime configuration

consistent execution environment via container images, not ad-hoc node scripts

Because the CronJob creates Jobs as first-class API objects, you get observability (events/status), predictable retries, and lifecycle management. That’s why the accurate statement is A.

=========