Free Preparation Discussions
MENU
Linux Foundation KCNA Exam Questions
- Topic 1: Kubernetes Fundamentals: In this topic, existing and aspiring developers, administrators, architects, and managers are introduced to foundational Kubernetes concepts, covering Kubernetes resources, architecture, and the Kubernetes API. The topic discusses the role of containers and their relationship to Kubernetes, emphasizing how scheduling works within the cluster.
- Topic 2: Container Orchestration: This topic delves into the principles of container orchestration, including runtime, security, and networking within Kubernetes clusters. The discussion extends to service mesh and storage solutions, enabling the audience to design and manage scalable, secure containerized workloads. Understanding these concepts prepares the target audience to navigate Kubernetes orchestration and enhance operational efficiency in cloud-native workflows.
- Topic 3: Cloud Native Architecture: This section highlights autoscaling, serverless technologies, and the roles and personas that drive cloud-native innovation. It explores open standards, community involvement, and governance frameworks, enabling the target audience to design systems aligned with modern practices.
- Topic 4: Cloud Native Observability: In this topic, telemetry and observability tools like Prometheus are examined, focusing on monitoring, logging, and diagnostics. Cost management strategies are also discussed, offering insights into optimizing resource usage. This equips the target audience to ensure the reliability and cost-efficiency of cloud-native applications, enhancing system performance and business value.
- Topic 5: Cloud Native Application Delivery: This section introduces the fundamentals of application delivery, emphasizing GitOps and CI/CD pipelines. It outlines strategies for deploying and managing cloud-native applications effectively. By mastering these concepts, the target audience learns to streamline delivery processes and adopt modern workflows for continuous integration and deployment in Kubernetes environments.
Free Linux Foundation KCNA Exam Actual Questions
Note: Premium Questions for KCNA were last updated On Jun. 19, 2026 (see below)
What default level of protection is applied to the data in Secrets in the Kubernetes API?
Kubernetes Secrets are designed to store sensitive data such as tokens, passwords, or certificates and make them available to Pods in controlled ways (as environment variables or mounted files). However, the default protection applied to Secret values in the Kubernetes API is base64 encoding, not encryption. That is why D is correct. Base64 is an encoding scheme that converts binary data into ASCII text; it is reversible and does not provide confidentiality.
By default, Secret objects are stored in the cluster's backing datastore (commonly etcd) as base64-encoded strings inside the Secret manifest. Unless the cluster is configured for encryption at rest, those values are effectively stored unencrypted in etcd and may be visible to anyone who can read etcd directly or who has API permissions to read Secrets. This distinction is critical for security: base64 can prevent accidental issues with special characters in YAML/JSON, but it does not protect against attackers.
Option A is only correct if encryption at rest is explicitly configured on the API server using an EncryptionConfiguration (for example, AES-CBC or AES-GCM providers). Many managed Kubernetes offerings enable encryption at rest for etcd as an option or by default, but that is a deployment choice, not the universal Kubernetes default. Option C is incorrect because hashing is used for verification, not for secret retrieval; you typically need to recover the original value, so hashing isn't suitable for Secrets. Option B (''plain text'') is misleading: the stored representation is base64-encoded, but because base64 is reversible, the security outcome is close to plain text unless encryption at rest and strict RBAC are in place.
The correct operational stance is: treat Kubernetes Secrets as sensitive; lock down access with RBAC, enable encryption at rest, avoid broad Secret read permissions, and consider external secret managers when appropriate. But strictly for the question's wording---default level of protection---base64 encoding is the right answer.
=========
Which component of the Kubernetes architecture is responsible for integration with the CRI container runtime?
The correct answer is B: kubelet. The Container Runtime Interface (CRI) defines how Kubernetes interacts with container runtimes in a consistent, pluggable way. The component that speaks CRI is the kubelet, the node agent responsible for running Pods on each node. When the kube-scheduler assigns a Pod to a node, the kubelet reads the PodSpec and makes the runtime calls needed to realize that desired state---pull images, create a Pod sandbox, start containers, stop containers, and retrieve status and logs. Those calls are made via CRI to a CRI-compliant runtime such as containerd or CRI-O.
Why not the others:
kubeadm bootstraps clusters (init/join/upgrade workflows) but does not run containers or speak CRI for workload execution.
kube-apiserver is the control plane API frontend; it stores and serves cluster state and does not directly integrate with runtimes.
kubectl is just a client tool that sends API requests; it is not involved in runtime integration on nodes.
This distinction matters operationally. If the runtime is misconfigured or CRI endpoints are unreachable, kubelet will report errors and Pods can get stuck in ContainerCreating, image pull failures, or runtime errors. Debugging often involves checking kubelet logs and runtime service health, because kubelet is the integration point bridging Kubernetes scheduling/state with actual container execution.
So, the node-level component responsible for CRI integration is the kubelet---option B.
=========
Which of the following options includes valid API versions?
Kubernetes API versions follow a consistent naming pattern that indicates stability level and versioning. The valid forms include stable versions like v1, and pre-release versions such as v1alpha1, v1beta1, etc. Option C contains valid-looking Kubernetes version strings---v1alpha1, v2beta3, v2---so C is correct.
In Kubernetes, the ''v'' prefix is part of the standard for API versions. A stable API uses v1, v2, etc. Pre-release APIs include a stability marker: alpha (earliest, most changeable) and beta (more stable but still may change). The numeric suffix (e.g., alpha1, beta3) indicates iteration within that stability stage.
Option A is invalid because strings like alpha1v1 and beta3v3 do not match Kubernetes conventions (the v comes first, and alpha/beta are qualifiers after the version: v1alpha1). Option B is invalid because alpha1 and beta3 are missing the leading version prefix; Kubernetes API versions are not just ''alpha1.'' Option D includes 2.0, which looks like semantic versioning but is not the Kubernetes API version format. Kubernetes uses v2, not 2.0, for API versions.
Understanding this matters because API versions signal compatibility guarantees. Stable APIs are supported for a defined deprecation window, while alpha/beta APIs may change in incompatible ways and can be removed more easily. When authoring manifests, selecting the correct apiVersion ensures the API server accepts your resource and that controllers interpret fields correctly.
Therefore, among the choices, C is the only option comprised of valid Kubernetes-style API version strings.
=========
Which of the following systems is NOT compatible with the CRI runtime interface standard?
(Typo corrected: ''CRI-0'' ''CRI-O'')
Kubernetes uses the Container Runtime Interface (CRI) to support pluggable container runtimes. The kubelet talks to a CRI-compatible runtime via gRPC, and that runtime is responsible for pulling images and running containers. In this context, containerd and CRI-O are CRI-compatible container runtimes (or runtime stacks) used widely with Kubernetes, and dockershim historically served as a compatibility layer that allowed kubelet to talk to Docker Engine as if it were CRI (before dockershim was removed from kubelet in newer Kubernetes versions). That leaves systemd as the correct ''NOT compatible with CRI'' answer, so C is correct.
systemd is an init system and service manager for Linux. While it can be involved in how services (like kubelet) are started and managed on the host, it is not a container runtime implementing CRI. It does not provide CRI gRPC endpoints for kubelet, nor does it manage containers in the CRI sense.
The deeper Kubernetes concept here is separation of responsibilities: kubelet is responsible for Pod lifecycle at the node level, but it delegates ''run containers'' to a runtime via CRI. Runtimes like containerd and CRI-O implement that contract; Kubernetes can swap them without changing kubelet logic. Historically, dockershim translated kubelet's CRI calls into Docker Engine calls. Even though dockershim is no longer part of kubelet, it was still ''CRI-adjacent'' in purpose and often treated as compatible in older curricula.
Therefore, among the provided options, systemd is the only one that is clearly not a CRI-compatible runtime system, making C correct.
=========
What does SBOM stand for?
SBOM stands for Software Bill of Materials, a critical concept in modern cloud native application delivery and software supply chain security. An SBOM is a formal, structured inventory that lists all components included in a software artifact, such as libraries, frameworks, dependencies, and their versions. This includes both direct and transitive dependencies that are bundled into applications, containers, or container images.
In cloud native environments, applications are often built using numerous open source components and third-party libraries. While this accelerates development, it also increases the risk of hidden vulnerabilities. An SBOM provides transparency into what software is actually running in production, enabling organizations to quickly identify whether they are affected by newly disclosed vulnerabilities or license compliance issues.
Option A is incorrect because SBOM is specific to software, not systems or hardware materials. Option B is incorrect because it describes a management process rather than a standardized inventory of software components. Option C is incorrect because SBOM is not a security baseline or policy framework; instead, it is a factual record of software contents that supports security and compliance efforts.
SBOMs are especially important in containerized and Kubernetes-based workflows. Container images often bundle many dependencies into a single artifact, making it difficult to assess risk without a detailed inventory. By generating and distributing SBOMs alongside container images, teams can integrate vulnerability scanning, compliance checks, and risk assessment earlier in the delivery pipeline. This practice aligns with the principles of DevSecOps and shift-left security.
Kubernetes and cloud native security guidance emphasize SBOMs as a foundational element of software supply chain security. They support faster incident response, improved trust between software producers and consumers, and stronger governance across the lifecycle of applications. As a result, Software Bill of Materials is the correct and fully verified expansion of SBOM, making option D the accurate answer.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Barbara Lopez
12 hours agoDavid White
17 days agoAmy Hernandez
1 month agoAngela Lopez
1 month agoBarbara Wilson
2 months agoGary Wright
2 months agoLaura Mitchell
1 month agoSandra Hill
1 month agoMichael Phillips
1 month agoDeborah Thomas
2 months agoVan
3 months agoShay
3 months agoShad
3 months agoLoren
3 months agoVeronique
4 months agoAnglea
4 months agoLizbeth
4 months agoAracelis
4 months agoJusta
5 months agoJani
5 months agoSlyvia
5 months agoBrett
5 months agoShala
6 months agoStephane
6 months agoMargart
6 months agoJeanice
6 months agoMariann
7 months agoLatosha
7 months agoMinna
7 months agoEvangelina
7 months agoNakita
8 months agoEllsworth
8 months agoCherri
8 months agoRanee
8 months agoCelia
9 months agoLyndia
9 months agoPeter
9 months agoMel
9 months agoGail
9 months agoCallie
10 months agoAlbina
10 months agoKeena
10 months agoWalker
12 months agoJina
12 months agoWillard
1 year agoPeggy
1 year agoGretchen
1 year agoMelda
1 year agoGabriele
1 year agoBarrie
1 year agoKasandra
1 year agoSharmaine
1 year agoArletta
1 year agoJaime
1 year agoKarl
1 year agoGlendora
1 year agoElke
1 year agoCarman
1 year agoJeanice
1 year agoNicolette
1 year agoBrittney
2 years agoIluminada
2 years agoLuann
2 years agoDelpha
2 years agoEmilio
2 years agoStevie
2 years agoCarey
2 years agoRickie
2 years agoCarli
2 years agoTegan
2 years agoHillary
2 years agoLilli
2 years agoKatina
2 years agoShoshana
2 years agoCarri
2 years agoCordelia
2 years agoMiesha
2 years agoTheola
2 years agoKaitlyn
2 years agoJeannetta
2 years agoTruman
2 years agoBrynn
2 years agoJeannetta
2 years agoCorinne
2 years agoValentin
2 years agoGerman
2 years agoAngelo
2 years ago