Free Preparation Discussions
MENU
Linux Foundation KCNA Exam Questions
- Topic 1: Kubernetes Fundamentals: In this topic, existing and aspiring developers, administrators, architects, and managers are introduced to foundational Kubernetes concepts, covering Kubernetes resources, architecture, and the Kubernetes API. The topic discusses the role of containers and their relationship to Kubernetes, emphasizing how scheduling works within the cluster.
- Topic 2: Container Orchestration: This topic delves into the principles of container orchestration, including runtime, security, and networking within Kubernetes clusters. The discussion extends to service mesh and storage solutions, enabling the audience to design and manage scalable, secure containerized workloads. Understanding these concepts prepares the target audience to navigate Kubernetes orchestration and enhance operational efficiency in cloud-native workflows.
- Topic 3: Cloud Native Architecture: This section highlights autoscaling, serverless technologies, and the roles and personas that drive cloud-native innovation. It explores open standards, community involvement, and governance frameworks, enabling the target audience to design systems aligned with modern practices.
- Topic 4: Cloud Native Observability: In this topic, telemetry and observability tools like Prometheus are examined, focusing on monitoring, logging, and diagnostics. Cost management strategies are also discussed, offering insights into optimizing resource usage. This equips the target audience to ensure the reliability and cost-efficiency of cloud-native applications, enhancing system performance and business value.
- Topic 5: Cloud Native Application Delivery: This section introduces the fundamentals of application delivery, emphasizing GitOps and CI/CD pipelines. It outlines strategies for deploying and managing cloud-native applications effectively. By mastering these concepts, the target audience learns to streamline delivery processes and adopt modern workflows for continuous integration and deployment in Kubernetes environments.
Free Linux Foundation KCNA Exam Actual Questions
Note: Premium Questions for KCNA were last updated On May. 01, 2026 (see below)
Which of the following systems is NOT compatible with the CRI runtime interface standard?
(Typo corrected: ''CRI-0'' ''CRI-O'')
Kubernetes uses the Container Runtime Interface (CRI) to support pluggable container runtimes. The kubelet talks to a CRI-compatible runtime via gRPC, and that runtime is responsible for pulling images and running containers. In this context, containerd and CRI-O are CRI-compatible container runtimes (or runtime stacks) used widely with Kubernetes, and dockershim historically served as a compatibility layer that allowed kubelet to talk to Docker Engine as if it were CRI (before dockershim was removed from kubelet in newer Kubernetes versions). That leaves systemd as the correct ''NOT compatible with CRI'' answer, so C is correct.
systemd is an init system and service manager for Linux. While it can be involved in how services (like kubelet) are started and managed on the host, it is not a container runtime implementing CRI. It does not provide CRI gRPC endpoints for kubelet, nor does it manage containers in the CRI sense.
The deeper Kubernetes concept here is separation of responsibilities: kubelet is responsible for Pod lifecycle at the node level, but it delegates ''run containers'' to a runtime via CRI. Runtimes like containerd and CRI-O implement that contract; Kubernetes can swap them without changing kubelet logic. Historically, dockershim translated kubelet's CRI calls into Docker Engine calls. Even though dockershim is no longer part of kubelet, it was still ''CRI-adjacent'' in purpose and often treated as compatible in older curricula.
Therefore, among the provided options, systemd is the only one that is clearly not a CRI-compatible runtime system, making C correct.
=========
What does SBOM stand for?
SBOM stands for Software Bill of Materials, a critical concept in modern cloud native application delivery and software supply chain security. An SBOM is a formal, structured inventory that lists all components included in a software artifact, such as libraries, frameworks, dependencies, and their versions. This includes both direct and transitive dependencies that are bundled into applications, containers, or container images.
In cloud native environments, applications are often built using numerous open source components and third-party libraries. While this accelerates development, it also increases the risk of hidden vulnerabilities. An SBOM provides transparency into what software is actually running in production, enabling organizations to quickly identify whether they are affected by newly disclosed vulnerabilities or license compliance issues.
Option A is incorrect because SBOM is specific to software, not systems or hardware materials. Option B is incorrect because it describes a management process rather than a standardized inventory of software components. Option C is incorrect because SBOM is not a security baseline or policy framework; instead, it is a factual record of software contents that supports security and compliance efforts.
SBOMs are especially important in containerized and Kubernetes-based workflows. Container images often bundle many dependencies into a single artifact, making it difficult to assess risk without a detailed inventory. By generating and distributing SBOMs alongside container images, teams can integrate vulnerability scanning, compliance checks, and risk assessment earlier in the delivery pipeline. This practice aligns with the principles of DevSecOps and shift-left security.
Kubernetes and cloud native security guidance emphasize SBOMs as a foundational element of software supply chain security. They support faster incident response, improved trust between software producers and consumers, and stronger governance across the lifecycle of applications. As a result, Software Bill of Materials is the correct and fully verified expansion of SBOM, making option D the accurate answer.
Which of the following is a challenge derived from running cloud native applications?
The correct answer is B. Cloud-native applications often run across multiple environments---different cloud providers, regions, accounts/projects, and sometimes hybrid deployments. This introduces real cost-management complexity: pricing models differ (compute types, storage tiers, network egress), discount mechanisms vary (reserved capacity, savings plans), and telemetry/charge attribution can be inconsistent. When you add Kubernetes, the abstraction layer can further obscure cost drivers because costs are incurred at the infrastructure level (nodes, disks, load balancers) while consumption happens at the workload level (namespaces, Pods, services).
Option A is less relevant because cloud-native adoption often reduces dependence on maintaining a private datacenter; many organizations adopt cloud-native specifically to avoid datacenter CapEx/ops overhead. Option C is generally untrue---public registries and vendor registries contain vast numbers of images; the challenge is more about provenance, security, and supply chain than ''lack of images.'' Option D is incorrect because major clouds offer abundant services; the difficulty is choosing among them and controlling cost/complexity, not a lack of services.
Cost optimization being complex is a recognized challenge because cloud-native architectures include microservices sprawl, autoscaling, ephemeral environments, and pay-per-use dependencies (managed databases, message queues, observability). Small misconfigurations can cause big bills: noisy logs, over-requested resources, unbounded HPA scaling, and egress-heavy architectures. That's why practices like FinOps, tagging/labeling for allocation, and automated guardrails are emphasized.
So the best answer describing a real, common cloud-native challenge is B.
=========
What is the main role of the Kubernetes DNS within a cluster?
Kubernetes DNS (commonly implemented by CoreDNS) provides service discovery inside the cluster by assigning stable, consistent DNS names to Services and (optionally) Pods, which makes D correct. In a Kubernetes environment, Pods are ephemeral---IP addresses can change when Pods restart or move between nodes. DNS-based discovery allows applications to communicate using stable names rather than hardcoded IPs.
For Services, Kubernetes creates DNS records like service-name.namespace.svc.cluster.local, which resolve to the Service's virtual IP (ClusterIP) or, for headless Services, to the set of Pod endpoints. This supports both load-balanced communication (standard Service) and per-Pod addressing (headless Service, commonly used with StatefulSets). Kubernetes DNS is therefore a core building block that enables microservices to locate each other reliably.
Option A is not Kubernetes DNS's purpose; it serves cluster workloads rather than external VMs. Option B describes a managed DNS hosting product (creating zones/registries), which is outside the scope of cluster DNS. Option C describes protocol translation, which is not the role of DNS. Dual-stack support relates to IP families and networking configuration, not DNS translating IPv6 to IPv4.
In day-to-day Kubernetes operations, DNS reliability impacts everything: if DNS is unhealthy, Pods may fail to resolve Services, causing cascading outages. That's why CoreDNS is typically deployed as a highly available add-on in kube-system, and why DNS caching and scaling are important for large clusters.
So the correct statement is D: Kubernetes DNS provides consistent DNS names so workloads can communicate reliably.
=========
Which authorization-mode allows granular control over the operations that different entities can perform on different objects in a Kubernetes cluster?
Role Based Access Control (RBAC) is the standard Kubernetes authorization mode that provides granular control over what users and service accounts can do to which resources, so B is correct. RBAC works by defining Roles (namespaced) and ClusterRoles (cluster-wide) that contain sets of rules. Each rule specifies API groups, resource types, resource names (optional), and allowed verbs such as get, list, watch, create, update, patch, and delete. You then attach these roles to identities using RoleBindings or ClusterRoleBindings.
This gives fine-grained, auditable access control. For example, you can allow a CI service account to create and patch Deployments only in a specific namespace, while restricting it from reading Secrets. You can allow developers to view Pods and logs but prevent them from changing cluster-wide networking resources. This is exactly the ''granular control over operations on objects'' described by the question.
Why other options are not the best answer: ''Webhook mode'' is an authorization mechanism where Kubernetes calls an external service to decide authorization. While it can be granular depending on the external system, Kubernetes' common built-in answer for granular object-level control is RBAC. ''Node authorization'' is a specialized authorizer for kubelets/nodes to access resources they need; it's not the general-purpose system for all cluster entities. ABAC (Attribute-Based Access Control) is an older mechanism and is not the primary recommended authorization model; it can be expressive but is less commonly used and not the default best-practice for Kubernetes authorization today.
In Kubernetes security practice, RBAC is typically paired with authentication (certs/OIDC), admission controls, and namespaces to build a defense-in-depth security posture. RBAC policy is also central to least privilege: granting only what is necessary for a workload or user role to function. This reduces blast radius if credentials are compromised.
Therefore, the verified answer is B: Role Based Access Control.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Barbara Wilson
15 days agoGary Wright
8 days agoDeborah Thomas
11 days agoVan
1 month agoShay
1 month agoShad
2 months agoLoren
2 months agoVeronique
2 months agoAnglea
2 months agoLizbeth
3 months agoAracelis
3 months agoJusta
3 months agoJani
3 months agoSlyvia
4 months agoBrett
4 months agoShala
4 months agoStephane
4 months agoMargart
5 months agoJeanice
5 months agoMariann
5 months agoLatosha
5 months agoMinna
6 months agoEvangelina
6 months agoNakita
6 months agoEllsworth
6 months agoCherri
7 months agoRanee
7 months agoCelia
7 months agoLyndia
7 months agoPeter
8 months agoMel
8 months agoGail
8 months agoCallie
8 months agoAlbina
8 months agoKeena
8 months agoWalker
10 months agoJina
10 months agoWillard
11 months agoPeggy
11 months agoGretchen
12 months agoMelda
1 year agoGabriele
1 year agoBarrie
1 year agoKasandra
1 year agoSharmaine
1 year agoArletta
1 year agoJaime
1 year agoKarl
1 year agoGlendora
1 year agoElke
1 year agoCarman
1 year agoJeanice
1 year agoNicolette
1 year agoBrittney
1 year agoIluminada
1 year agoLuann
1 year agoDelpha
1 year agoEmilio
1 year agoStevie
1 year agoCarey
1 year agoRickie
2 years agoCarli
2 years agoTegan
2 years agoHillary
2 years agoLilli
2 years agoKatina
2 years agoShoshana
2 years agoCarri
2 years agoCordelia
2 years agoMiesha
2 years agoTheola
2 years agoKaitlyn
2 years agoJeannetta
2 years agoTruman
2 years agoBrynn
2 years agoJeannetta
2 years agoCorinne
2 years agoValentin
2 years agoGerman
2 years agoAngelo
2 years ago